Friday, April 8, 2011

Discover MySQL Power in Intranet

This Mysql OOB technique, seem to be getting out of control.
It didn't exist in the wild (for as far as we know about), so we started to look into it even further.

Malware can use this SMB vulnerability (?) in order to spread itself to other locations.
To let's say, all Windows boxes on the local network.
Rather easy too.

Windows got these nice, hard-coded folders, where it auto-starts applications once on every reboot.
So what happens if we add a file to one of those folders?
It will start running on next reboot (duh).

And if you look into what default Network Shares windows use, you'll notice the stealthed /ADMIN$, /C$, /D$… (one for each of your HDD's).

So what happens if we try to reach \\192.168.XX.XX\C$\?

If it is (mis)configured, or if you're authorized to access it, you can read the C: drive of the remote machine, and possibly create/remove/read and write files as well.

Now back to MySQL.

As said a couple of posts ago, MySQL is capable of using SMB in order to save content on to remote locations. So what happens if you for example do a query like this:

SELECT 'msgbox ""' INTO OUTFILE '\\\\\\C$\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msgbox.vbs';
SELECT 'msgbox ""' INTO OUTFILE '\\\\\\C$\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msgbox.vbs';
SELECT 'msgbox ""' INTO OUTFILE '\\\\192.168.0.N\\C$\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msgbox.vbs';

And simply loops through the network?
Well, the "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" folder is the default auto-start directory in Microsoft Windows Vista and Windows 7.
So you would probably end up infecting a few Vista or Windows 7 boxes on your network with the the oh-so-powerful h.ackack.vbs script.

The tricky thing is.

How do you figure out the netrange(s)?

The MySQL variables @@report_host or @@hostname seem to contain the current MySQL-servers IP and/or eventual DNS/NetBIOS name.
If any of those two variables contain an IP, you know a possible netrange to start scanning from.

Even though it's rather easy to figure it out, corporations might have chosen to use another IP-range on their internal network.
However, if they haven't, here's the reserved ranges for internal usage: ( ( (
Yeah yeah, you know those.
Do you know these default locations for the Windows autostarts?
Thought so. Here's a cute list:

Windows 7 and Windows Vista: ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Windows XP and Windows 2000: Documents And Settings\All Users\Start Menu\Programs\StartUp\
Windows NT: WINNT\Profiles\All Users\Start Menu\Programs\StartUp\
Windows 9x and Windows ME: WINDOWS\Start Menu\Programs\StartUp\

Right. So that's about it for the moment.
No need to say more about this flaw. I suppose you understand the security issue here.

Conclusion; be sure to sanitize your database inputs.
And configure the security of all your boxes properly!


Subhash Dasyam
Filed Under :

0 comments for "Discover MySQL Power in Intranet"

Post a Comment