Forgot your password?
typodupeerror
Open Source Security Software News

Researcher Discloses New Batch of MySQL Vulnerabilities 76

Posted by samzenpus
from the protect-ya-neck dept.
wiredmikey writes "Over the weekend, a security researcher disclosed seven security vulnerabilities related to MySQL. Of the flaws disclosed, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the Full Disclosure mailing list, Oracle is aware of the zero-days, but has not yet commented on them directly. Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed. One disclosure included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the MySQL admin user."
This discussion has been archived. No new comments can be posted.

Researcher Discloses New Batch of MySQL Vulnerabilities

Comments Filter:
  • You deserve it! (Score:3, Insightful)

    by Anonymous Coward on Monday December 03, 2012 @12:00PM (#42169549)
    When you leave 3306 open on the internet.
    • by Hizonner (38491)

      You deserve it when you run crappy software that needs a firewall in front of it to be minimally safe.

      Especially when that software has to enforce internal permissions and boundaries.

      Sorry, but I'm pretty sick of these excuses for garbage code.

      • by Dwonis (52652)
        Indeed. Firewalls break end-to-end connectivity, and incentivise a protocol-encapsulation arms race that is bad for the Internet. It's 2012; You have no business writing more code that speaks the Internet Protocol unless it can actually handle being on the Internet.
        • by Anonymous Coward

          Car analogy time! Ever get stuck behind a tractor driving 5 mph, carrying a fully loaded manure spreader dripping all over? Then you try to pass him but all the fumes have made you high and you crash your car. You wake up and find yourself chained up in a farmer's sex dungeon and he proceeds to sodomize you for 3 months until you finally die of an impaled rectum.

          Well, maybe your car shouldn't be on the road either!

          • You wake up and find yourself chained up in a farmer's sex dungeon and he proceeds to sodomize you for 3 months until you finally die of an impaled rectum.

            You describe perfectly what a seasoned, experienced developer feels like when he (or she) has to wade through a typical *MP "application" in order to fix and extend it.

            Proof Cthulhu is real: *MP kiddies believe view logic is Best Logic.

      • by ls671 (1122017)

        You do not need a firewall, just listen to local IP addresses, not the public Internet one ;-)

  • "Researcher", insomuch as it implies a level of professionalism, should be reserved for those with a modicum of professionalism, such as responsible disclosure. I could have had my 15 minutes of fame with a vulnerability I discovered that could have been used to take fown wikipedia and many other sites, but instead I reported it through the proper channels so it was fixed, not exploited. Perhaps "security attention-seeker" would be a better term.
    • by greg1104 (461138)

      A look at the twitter feed [twitter.com] of the submitter and his associated web site--"Farlight Elite Hackers Legacy"--does not give the impression of responsible disclosure. But this is the same guy who released the 2010 “Apache Killer” [tallpoppygroup.com]; calling attention to problems with exploit code is this guy's method. I'd rather see that than no disclosure at all. He does appear to be a professional penetration tester at work, who does things like speak at conferences [wordpress.com] on his methods too.

      • by Anonymous Coward

        As someone who he released a vulnerability for this weekend, and the person responsible for security of the product in question...

        I WOULD VERY MUCH LIKE IF HE WOULD NOTIFY US (the affected vendor) AT LEAST AT THE SAME TIME HE PUBLICLY RELEASES IT!!!

        We found out via support cases coming in from clients who were reading FullDisclosure before I got into the office to check my morning emails. NOT COOL!

        • Re: (Score:2, Insightful)

          by Cid Highwind (9258)

          We found out via support cases coming in from clients who were reading FullDisclosure before I got into the office to check my morning email

          ...and you think it's somehow reasonable for a "person responsible for security" to sit back and wait for vulnerability reports to find their way through product support channels, instead of monitoring FullDisclosure?

        • by greg1104 (461138) <gsmith@gregsmith.com> on Monday December 03, 2012 @02:27PM (#42171291) Homepage

          If Oracle doesn't have someone reading FullDisclosure every day, including the weekends, you deserve to be embarrassed and shamed by your customers. Hint: someone from the MariaDB team was adding to the discussion [seclists.org] already by Sunday.

        • by Hizonner (38491)

          I used to handle ALL of these issues for a very large vendor. Yes, people did wake me up over things, until I wised up that my employer's problems during my off hours were in fact my employer's problems, not mine, and that my employer as an institution didn't give a fuck about anything but saving face.

          I quit about the time vendors started trying to dodge responsibility by talking about other people's "responsible disclosure".

          You are not entitled to know about a problem before those who are actually affecte

        • by lennier (44736)

          As someone who he released a vulnerability for this weekend, and the person responsible for security of the product in question...

          ... shouldn't you be apologising for not finding the vulnerability in your own product yourself?

          You've got the source code, all the architecture notes, the people who wrote it, the comprehensive testing suites... and yet you still let a critical security error get through that some random guy on the street with a $10 fuzzer found by accident.

          There's a problem here, and it's not with the security researcher. Sorry.

        • by idontgno (624372)

          Hold it. You don't monitor full disclosure security websites yourself?

          It's called "Intel". It's worth the effort.

          Full disclosure is only a problem if you don't take advantage of it yourself. Otherwise, it's embarrasing when your customers do your job for you, or when the blackhats do a little personal disclosure on your assets.

          Yeah, yeah, I know. There aren't enough hours in the day, you don't have enough staff, etc., etc. That just means management isn't prioritizing and allocating correctly. That still me

  • by detain (687995) on Monday December 03, 2012 @12:50PM (#42170201) Homepage
    from what I'm reading the privilege elevation bug requires that you as a non root user be able to write files to a /var/lib/mysql// directory. I dont remember ever seeing a setup where those directories are world writable or where normal non-root users would be added to the mysql group.
    • by Anonymous Coward

      C:\>dir /var/lib/mysql//
      Invalid switch - "var".

      What is going on here? Is my system vulnerable or not?

  • by Anonymous Coward on Monday December 03, 2012 @05:28PM (#42173145)

    I don't quite agree that this only effects improperly configured installs. If you leave 3306 open to the Internet, yes, that would be an improper configuration and you kind of get what you deserve there.

    However, imagine the case of having a webserver open to the world hosting $RANDOM_PHP_APP_OF_THE_DAY, with a MySQL server backend on a separate private network it must talk to. Everything is properly firewalled, only the webapp can access MySQL on 3306, and only has access to it's own database(s) it needs to, and nothing more. Now random exploit for PHP app happens, which gives the attacker access to run their own SQL commands, gain user shell access, whatever. These exploits are common.

    This instead of limiting the attacker to the database credentials within the app itself, now gave the attacker full access to the entire MySQL infrastructure bypassing any local ACL's you have in place. Instead of just being able to access your application database, now they can access any other databases setup on the same server.

    Most exploits these days are fairly innocuous by themselves - it's when you string them together is where they get to be important. Any attacker worth their salt has lists of thousands of exploitable webapps they are saving for just such days, when a new backend zero day hits. Then they fire up their tools to take advantage first of the known hole in the web application they already scanned for months ago, to then exploit the more severe underlying exploit which is "behind the firewall so we don't care".

    Security is a multi-layered thing. You cannot be secure in a bubble, and you cannot say something doesn't effect you just because an attacker can't directly exploit the problem from a random wireless access point in a coffee shop somewhere. Very few exploits I see these days are that "easy" to pull off - they all require multiple exploits used at once, to gain the access needed to the target.

    • by jhol13 (1087781)

      If you leave 3306 open to the Internet, yes, that would be an improper configuration and you kind of get what you deserve there.

      Why? Why do you "deserve" that the database is not safe to use that way? Shouldn't it be? If not, why it should not be safe?

      I think this is the main reason why every fucking application from browsers to document viewers to databases to webapps to firewalls to php's are buggy: developers assume "it will be protected by other means, I don't need to check my code or sanitize input. They'll use apparmor. it is not that serious a hole".

Never appeal to a man's "better nature." He may not have one. Invoking his self-interest gives you more leverage. -- Lazarus Long

Working...