Season's gr3371ng5 - hacker releases exploits for MySQL and SSH
On Advent Sunday, the infamous hacker who goes by the name of KingCope appears to have had a stock clearance and released a whole range of exploits, some of which date back to 2011. The exploits released on 2 December mostly target the now-Oracle-owned MySQL open source database, but the SSH servers by SSH Communications Security and FreeSSHd/FreeFTPd are also at acute risk.
The MySQL exploits do, however, require a legitimate database connection to execute injected code. Exploits such as "mysqljackpot" then, for example, misuse the connection's "file privilege" to provide the attacker with shell access at system privilege level. KingCope released a total of five such privilege escalation exploits:
- MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)
- MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day
- MySQL (Linux) Stack based buffer overrun PoC Zeroday
- MySQL (Linux) Heap Based Overrun PoC Zeroday
- MySQL (Linux) Database Privilege Elevation Zeroday Exploit
The hacker also describes a hole that allows attackers to trigger a database crash and another hole that enables them to find valid user names. In view of Oracle's approach to patching, MySQL administrators will do well to restrict their database access so that databases can only be accessed from selected, specially protected systems.
The published holes in FreeSSHd's and the SSH protocol developers' SSH servers are nothing short of embarrassing. Apparently, both holes can be exploited to bypass the password check and log in with an arbitrary password. With SSH's Tectia server, the exploit description says that attackers can modify a legitimate user's password by calling
input_userauth_passwd_changereq() before logging in. In case of the FreeSSHd/FreeFTPd server, all that appears to be required is to ignore a refusal message by the server and declare the session to be open at the right time. All the exploit has to do is add an extra call to the existing
ssh_session2() function of the regular openssh client.