Several zero-day exploits and vulnerabilities in the MySQL database were disclosed to the Full Disclosure mailing list over the weekend.
Of the 6 zero-days described by a researcher known as King Cope, all but one involve legitimate credentials to access the Oracle-owned database, or are configuration errors instead of vulnerabilities in the code.
“Some of the techniques are interesting, but you have to have a valid log-in for them to work,” said HD Moore, creator of the Metasploit Framework and CSO at Rapid7. “There’s usually a better way to get access.”
CVE-2012-5611 is a stack-based buffer overflow in MySQL 5.5.19 and 5.1.53 that whenever exploited admits remote authenticated users to carry out execution of shell code. According to the CVE advisory, a long argument made to the GRANT FILE command would activate the vulnerability.
Golubchik told Threatpost.com that CVE-2012-5615, a Outside pre-authentication user enumeration exposure, is a 10-year-old issue and documented in the MySQL developer’s manual.
“Admittedly, the text is way more complex than it should be, the older version was easier to read. But anyway, it documents that an authentication method is specified per user (in the server account
management tables). And that a client gets a special reply ‘change authentication method’ if the user name is correct and the authentication method does not match the correct authentication method for this account,” Golubchik said. “Which means, exactly, that one can find what account names surely exist on the server by looking for these ‘change authentication method’ server replies. They are never returned for non-existent accounts.”