{"id":8356,"date":"2021-03-19T10:18:40","date_gmt":"2021-03-19T09:18:40","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8356"},"modified":"2023-05-17T08:05:54","modified_gmt":"2023-05-17T08:05:54","slug":"how-mysql-servers-can-attack-you","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/","title":{"rendered":"How MySQL Servers Can Attack YOU"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D2T1 - How MySQL Servers Can Attack YOU - Alexander Rubin &amp; Martin Rakhmanov\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/Qz92QTo9yr8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D2T1%20-%20How%20MySQL%20Servers%20Can%20Attack%20YOU%20-%20Martin%20Rahkmanov%20&amp;%20Alexander%20Rubin.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">Imagine a WordPress site is hacked again and now must be restored. WordPress compromises aren&#8217;t interesting and a backup is readily available, the only step required is to re-create the database. After logging in to the MySQL server, your screen goes black, and a bitcoin address appears with instructions to unlock. What was a simple wordpress restore is now a much bigger incident. A malicious attacker has achieved remote code execution on your laptop. How is this even possible? In a world where database access also means elevated privileges elsewhere, utilizing a WordPress site to move to a workstation (that has access to sensitive environments and secrets) is becoming a realistic CONOP.<\/p>\n<p style=\"text-align: justify;\">In this talk we&#8217;ll demonstrate a novel approach, using a compromised MySQL server to attack the MySQL client. A client in this case can be a web application using the MySQL client libraries (C\/C++, Python, PHP, etc.), but more importantly it can also be an interactive tool such as the MySQL command line client or MySQL Workbench, running on YOUR laptop. <strong>This talk will cover a novel attack vector where the attacker compromises a MySQL server with the intention of targeting and gaining remote code execution to those users who have access to the database.<\/strong><\/p>\n<p style=\"text-align: justify;\">Our team started by re-creating a security issue fixed in 2019, which Oracle MySQL never clearly acknowledged. (The closest CVEs possible are: CVE-2020-2570, CVE-2020-2574, CVE-2020-2575). Our team will demonstrate how unfixed old client libraries, such as MySQL C\/C++ connectors and MySQL ODBC drivers &#8211; as well as command line and GUI tools like MySQL CLI and MySQL Workbench &#8211; allow an attacker to perform arbitrary code execution on the client machine. After reviewing the fix we have found another twist: we can use a multibyte charset to bypass the security patch in MySQL server code. <strong>That means a brand new zero-day vulnerability in MySQL server allows an attack against MySQL client libraries, command line and GUI tools.<\/strong><\/p>\n<p style=\"text-align: justify;\">In summary, our team will show a novel attack vector where an attack is executed against MySQL database clients (applications using C API) and demo a <strong>full zero-day attack chain we found against MySQL client applications to gain remote code execution<\/strong>. Our team will also demonstrate how to use multi-byte character set encoding to target a non multi-byte safe or improperly written code.<\/p>\n","protected":false},"template":"","class_list":["post-8356","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How MySQL Servers Can Attack YOU - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How MySQL Servers Can Attack YOU - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) Imagine a WordPress site is hacked again and now must be restored. WordPress compromises aren&#8217;t interesting and a backup is readily available, the only step required is to re-create the database. After logging in to the MySQL server, your screen goes black, and a bitcoin address appears with instructions to unlock. What [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-17T08:05:54+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/\",\"name\":\"How MySQL Servers Can Attack YOU - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-03-19T09:18:40+00:00\",\"dateModified\":\"2023-05-17T08:05:54+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How MySQL Servers Can Attack YOU\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How MySQL Servers Can Attack YOU - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/","og_locale":"en_US","og_type":"article","og_title":"How MySQL Servers Can Attack YOU - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) Imagine a WordPress site is hacked again and now must be restored. WordPress compromises aren&#8217;t interesting and a backup is readily available, the only step required is to re-create the database. After logging in to the MySQL server, your screen goes black, and a bitcoin address appears with instructions to unlock. What [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-17T08:05:54+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/","name":"How MySQL Servers Can Attack YOU - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-03-19T09:18:40+00:00","dateModified":"2023-05-17T08:05:54+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/how-mysql-servers-can-attack-you\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"How MySQL Servers Can Attack YOU"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8356"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}