[WEB SECURITY] Attack via tables corruption in MySQL

MustLive mustlive at websecurity.com.ua
Fri Jul 6 16:55:13 EDT 2012


Hello participants of Mailing List.

In April I've wrote the article "Attack via tables corruption in MySQL" 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-May/008363.html), 
about which I told you in the list. In June I've made full translation of 
the article and now I'd present it for you.

----------------------------------------------------
Attack via tables corruption in MySQL
----------------------------------------------------

I'll tell you about the attack via tables corruption in DBMS MySQL. Which
I've presented in May 2009 in publication Attack on Abuse of Functionality
in WordPress [1]. At that time I've described in details this attack on
example of WordPress, and later also on example of Invision Power Board (I
know since 2007 about possibility of such attack on IPB), but decided to
make detailed article about it.

Tables corruption in MySQL.

MySQL supports different tables types also know as engines (storage engines)
[2]. And different versions of DBMS support different number of engines,
particularly MySQL 5.0 supports 10 engines. In MySQL there is such tables
type as MyISAM. They are more faster in work then other types of tables and
during many versions MySQL by default use exactly MyISAM engine at creation
of new tables (up to version MySQL 5.5.5). And there is important issue in
this engine - the tables can be corrupted (usually these are indexes of
tables, i.e. the tables with data remain safe). This concerns MyISAM and
ISAM engines.

And so they must be repaired, for which there is function REPAIR for MyISAM
tables. The repair functionality can be added in web application - e.g. IPB
2 and above have such function in admin panel, and also such functionality
was added in WordPress 2.9, but, as I found, there is DoS vulnerability in
it [3]. If there is no such functionality, which is typical for most of web
applications, then it's needed to use applications for work with MySQL,
including web applications, such as MustLive MySQL Perl/CGI Client and
phpMyAdmin.

Examples of vulnerable applications.

In 2009 I've told about possibility of conducting this attack on WordPress
(for DoS and full takeover of a site), and in 2011 I told about attacks on
IPB 1, IPB 2 and IPB 3 (for DoS). Other web applications, which use MySQL
and MyISAM tables, are also vulnerable to this attack.

Taking into account, that corrupted tables are inaccessible for web
application, then it stops to work correctly. The problem can concern as
some single functionality of web site, as the whole site - when web
application will completely stop to work and only will be showing error
message. Until corrupted tables will be repaired. E.g. when to corrupt
impotent table in WordPress, then web site stops to work and the message
shows at all pages of the site - in old versions of the engine shows "It
doesn't look like you've installed WP yet", and in new versions of the
engine shows "Error establishing a database connection".

And taking into account, that automatic tables repairing is not used in web
applications - I am not aware about any such web application - then issues
at the site will be until admin repair tables by himself (using any software
for work with MySQL, to conduct REPAIR for these tables). As I've wrote
about WordPress [3], where in WP 2.9 the developers as though made automatic
repairing (after my informing about above-mentioned attack on WP), but, as I
found, actually they lay and there was not made automatic tables repairing
in the engine, and it was needed to manually run a script of repairing of
the tables.

Attack vectors.

There are the next main attack vectors via tables corruption in MySQL:

1. Conducting DoS attacks. After creation of conditions for corruption of DB
tables (via overloading of the site), it's possible to conduct DoS attack on
web site. Examples of web applications vulnerable to such attacks are
WordPress and IPB.

2. Complete compromise of web site. At existence of installer at the site
and after conducting of DoS attack (described in #1) on tables to which
installer is sensitive, it's possible to force it to decide, that the engine
isn't installed at the site and to reinstall of the engine. Examples of web
applications vulnerable to such attacks are WordPress.

Conducting of the attack.

For the attack it's needed to find a table to which web application is
sensible. In my publications about attacks on WordPress and Invision Power
Board I've wrote to which tables these engines are sensible (there are
differences between different versions of the engines). WP is sensible to
the tables wp_options and wp_users, and IPB is sensible to the tables
ibf_topics and ibf_session.

After that it's needed to find functionality, which uses found sensible
table. And overload this functionality in such way to make corruption of the
table in DB. And so the attack will be conducted on web site.

Conclusion.

>From above-mentioned it's clear, that all web applications, which use MySQL
and MyISAM tables, are vulnerable to this attack. And there are a lot of
such web applications - it can be thousands, if not millions of web
applications. Even if it's hard to corrupt table (for conducting of this
attack), but such probability exists, so all web developers and
administrators of web sites should take this information into account.

References:

1. Attack on Abuse of Functionality in WordPress
(http://websecurity.com.ua/3152/).
2. Chapter 14. Storage Engines
(http://dev.mysql.com/doc/refman/5.0/en/storage-engines.html).
3. DoS vulnerability in WordPress (http://websecurity.com.ua/5774/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua






More information about the websecurity mailing list