Alexander Rubin
Principal Security Engineer, RDS Red Team Lead, Amazon Web Services
Can MySQL server attack YOU? Can a black hat hacker execute a code on your laptop if you will simply login to a hacked MySQL database server? Is it even possible?
Our research journey began by revisiting a security issue dating back to 2019, an issue that Oracle MySQL never unequivocally acknowledged. While the closest Common Vulnerabilities and Exposures (CVEs) references were CVE-2020-2570, CVE-2020-2574, and CVE-2020-2575, our team discovered that unfixed old client libraries, such as MySQL C/C++ connectors and MySQL ODBC drivers, as well as command line and GUI tools like MySQL CLI and MySQL Workbench, inadvertently permit attackers to execute arbitrary code on the client machine.
But the story doesn't end there. We uncovered another layer of vulnerability: the ability to use a multibyte character set to circumvent a security patch in the MySQL server code. This revelation introduces a brand new zero-day vulnerability in the MySQL server, thereby enabling an attack vector against MySQL client libraries, command line interfaces, and graphical user interface tools. We have submitted this finding to Oracle MySQL, which was fixed in the latest MySQL version. The new CVE-2023-21980 was created and acknowledged in Oracle Critical Patch Update Advisory - April 2023.
Our presentation will unveil a novel attack vector, one where MySQL database clients, including applications using the C API, become the unsuspecting targets of an elaborate attack chain. Our team will demonstrate a complete attack scenario discovered against MySQL client applications, leading to remote code execution. Furthermore, we will illustrate the use of multibyte character set encoding to exploit non-multi-byte-safe or improperly written code.
29 апр 2024
