Servers Grab Client Files via MySQL Design Flaw
Attackers can potentially run a malicious MySQL server and gain access to connected data, according to a new security alert.
MySQL has issued a security notice resulting from issues with the LOAD DATA LOCAL, noting that the “statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.”
The design flaw exists in the file transfer interaction between a client host and a MySQL server, according to BleepingComputer. Leveraging this attack would allow a malicious actor to steal sensitive information from a web server that is not properly configured either by enabling connections to untrusted servers or from database management applications.
According to the security notice, there are two potential security concerns. “The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)”
In a January 20 blog post, security researcher Willem de Groot responded to the security notice’s claim that this flaw could be leveraged “in theory,” noting that “an Evil Mysql Serverwhich does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets, as interfailpoints out.”
“Although this may not sound critical, since most users are not easily fooled into connecting to an attacker’s mySQL server, there are in fact many web servers with exposed database management interfaces that allow attacker initiated connections to arbitrary servers,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT).
“Website administrators must be aware that such pages, even when not linked to other content, may be discovered and abused by attackers. Administration tools like Adminer should not be left unprotected in any circumstances.”