Security News #0x2C- MySQL has a bad week.
- Well, MySQL certainly had a bad week, courtesy of Kingcope. First off the line (CVE 2012-5611) was the announcement of a Linux stack based buffed overflow for MySQL 5.5.19 and 5.1.53. The provided PoC gets 0x41414141 into the EIP, meaning it likely can be updated to something much more severe after some work on the payload side. It turns out that this looks to be a duplicate of a bug reported in November by Jan Lieskovsky.
- Next was CVE 2012-5612, a heap based buffer overflow in MySQL 5.5.19 and MariaDB 5.5.28a also reported by Kingcope. Here another PoC was provided; this one gains control of both edx and edi, just before a
- The third entry in the hit parade, CVE 2012-5613 affecting MySQL 5.5.19 and MariaDB 5.5.28a is a privilege escalation exploit by Kingcope. Here an attacker with FILE privileges on the MySQL server can escalate to MySQL admin. This is a demo rather than just a PoC, and Eric Romang has a demo. This same issue can be exploited on a Windows system to get code running as system; the folks at Metasploit have released a module that does exactly that. See also the original Kingcope approach.
- Why stop at three? Next, in what became CVE 2012-5614, Kingcope provided a DoS for MySQL 5.5.19.
- Rounding out the week was CVE 2012-5615, where Kingcope showed how to determine if a particular user was present on a MySQL 5.5.19 or MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66 system withouth authenticating. Once again, things appear worse for Windows systems.
- How about a break from the MySQL story? Here is a video from one of my students looking at the recent Java AtomicReferenceArray exploit.