Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    In the last month of the year, MySQL has been flooded by a set of zero-day exploits. This set was revealed by Kingcope and he has published proof-of-concept (POCs) for all these vulnerabilities.

    The newly discovered set of 0-days affects MySQL in multiple ways, such as application crash/denial of service, privilege escalation, authentication bypass, remote root on Windows systems, and heap/stack overrun. These vulnerabilities have been acknowledged by the vendor and assigned to CVE ids CVE-2012-5611, CVE-2012-5612, CVE-2012-5613, CVE-2012-5614, and CVE-2012-5615 respectively.

    Two of the critical security issues, ExploitDB: 23073 & 23083 in MySQL allow remote authenticated attackers to get the shell of a Windows system by sending specially crafted requests.

    Below are the rest of the critical issues:

    • (CVE-2012-5611). This is triggered by sending an overly long argument to GRANT FILE command, which in turn leads to stack buffer overflow. It permits remote attackers to execute arbitrary code or may even cause database crash. However, to exploit this vulnerability valid username and password are required.
    • (CVE-2012-5612). A heap buffer overflow vulnerability caused by a series of crafted commands like USE, SHOW TABLES, DESCRIBE, CREATE TABLE, DROP TABLE, ALTER TABLE, DELETE FROM, UPDATE, SET PASSWORD, etc. If exploited, it allows a remote, authenticated attacker with low privileges to change a current user’s password to an undefined value.
    • (CVE-2012-5614). This leads to a service crash via SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements. The successful exploitation of this vulnerability also needs to be authenticated by a valid username and password.
    • (CVE-2012-5615). Enumeration vulnerability exists in MySQL which lets remote attackers to learn all valid usernames based on the error messages generated.
    • (CVE-2012-5613). This is not considered as a security bug since it’s a result of misconfiguration, however, it can lead to remote authenticated users gaining administrator privileges. In this case, an attacker with ‘FILE’ privilege is leveraged to create a new user that has full access similar to the MySQL administrator.

    MySQL Database is famous for its high performance, high reliability and ease of use. It runs on both Windows and many non-Windows platforms like UNIX, Mac OS, Solaris, IBM AIX, etc. It has been the fastest growing application and the choice of big companies such as Facebook, Google, and Adobe among others. Given its popularity, cybercriminals and other attackers are definitely eyeing this platform.

    To help users address these issues, Trend Micro Deep Security has released an update 12-032 with new set of DPI rules. Users are recommended to apply the following DPI rules released in the update.

    Exploit DB CVE ID DPI Rule Name
    23076 MySQL (Linux) Heap Based Overrun PoC Zeroday CVE-2012-5612 1005264 – Oracle MySQL Server Command Length Restriction
    23081 MySQL Remote Preauth User Enumeration Zeroday CVE-2012-5615 1005045 – MySQL Database Server Possible Login Brute Force Attempt*
    23078 MySQL Denial of Service Zeroday PoC CVE-2012-5614 1005265 – Oracle MySQL Server Denial Of Service Vulnerability
    23083 MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day
    1005263 – Windows MySQL Server Remote Code Execution
    23075 MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday CVE-2012-5611 1005266 – Oracle MySQL GRANT Command Stack Buffer Overflow Vulnerability
    23077 MySQL (Linux) Database Privilege Elevation Zero day Exploit CVE-2012-5613 1005266 – Oracle MySQL GRANT Command Stack Buffer Overflow Vulnerability
    23073 MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot) 1004177 – Oracle MySQL ‘COM_FIELD_LIST’ Command Buffer Overflow Vulnerability*

    *Out-of-box Coverage – These vulnerabilities are covered by our existing DPI rules.

    Trend Micro’s DPI rules can protect users against all known exploits so far. As of this writing, we haven’t seen any attacks leveraging these POC exploits.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice