A design flaw in the file transfer interaction between a client host and a MySQL server allows an attacker using an illegal MySQL server to access the data read by the connected client. A malicious person can use this problem to extract sensitive information from a misconfigured web server that allows connections to unreliable servers or database management applications.
The problem concerns the LOAD DATA statement used with the LOCAL modifier, which is considered a security risk in MySQL documentation.
As the developers explain, there are two possible security issues with the LOCAL version of LOAD DATA:
The transfer of the file from the client host to the server host is initiated by the MySQL server. Theoretically, we could create a patch server that instructs the client program to transfer a file selected by the server instead of the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read privileges. (A patched server could actually respond to a request with a file transfer request, not just LOAD DATA LOCAL. A more fundamental problem is that clients should not connect to unreliable servers.)
In a Web environment where clients connect from a Web server, a user can use LOAD DATA LOCAL to read all files that the Web server process has read access to (provided that a user can execute any statement on the SQL server). In this environment, the client for the MySQL server is actually the Web server, not a remote program executed by users connecting to the Web server.
Malicious MySQL Server Easily Available
In the security community, some people have created a list of possible scenarios for using a malicious MySQL server. Stolen SSH keys and credentials for crypto currency portfolios were at the top of the list.
According to security researcher Willem de Groot, Magecart’s October 2018 attacks used the MySQL bug to introduce code into commercial websites to steal payment card information from the till.
Code for a malicious MySQL server has been available on GitHub for five years. It is therefore not surprising that cybercriminals use it in their attacks.
In a blog post published last week, de Groot explains how fraudsters used this vulnerability to extract sensitive details using Adminer, a PostgreSQL and MySQL database management tool.
The attacker’s target seems to be to steal a file (‘local.xml’) in which the Magento trading platform stores its database password. This was possible on websites with a vulnerable version of the admin (versions 4.3.1 to 4.6.2 were affected by the bug). Administrators must switch to a more secure version of the product, at least 4.6.3.
Sources: dev MySQL, Groot’s Blog