Hello participants of Mailing List. In April I've wrote the article "Attack via tables corruption in MySQL" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-May/008363.html), about which I told you in the list. In June I've made full translation of the article and now I'd present it for you. ---------------------------------------------------- Attack via tables corruption in MySQL ---------------------------------------------------- I'll tell you about the attack via tables corruption in DBMS MySQL. Which I've presented in May 2009 in publication Attack on Abuse of Functionality in WordPress [1]. At that time I've described in details this attack on example of WordPress, and later also on example of Invision Power Board (I know since 2007 about possibility of such attack on IPB), but decided to make detailed article about it. Tables corruption in MySQL. MySQL supports different tables types also know as engines (storage engines) [2]. And different versions of DBMS support different number of engines, particularly MySQL 5.0 supports 10 engines. In MySQL there is such tables type as MyISAM. They are more faster in work then other types of tables and during many versions MySQL by default use exactly MyISAM engine at creation of new tables (up to version MySQL 5.5.5). And there is important issue in this engine - the tables can be corrupted (usually these are indexes of tables, i.e. the tables with data remain safe). This concerns MyISAM and ISAM engines. And so they must be repaired, for which there is function REPAIR for MyISAM tables. The repair functionality can be added in web application - e.g. IPB 2 and above have such function in admin panel, and also such functionality was added in WordPress 2.9, but, as I found, there is DoS vulnerability in it [3]. If there is no such functionality, which is typical for most of web applications, then it's needed to use applications for work with MySQL, including web applications, such as MustLive MySQL Perl/CGI Client and phpMyAdmin. Examples of vulnerable applications. In 2009 I've told about possibility of conducting this attack on WordPress (for DoS and full takeover of a site), and in 2011 I told about attacks on IPB 1, IPB 2 and IPB 3 (for DoS). Other web applications, which use MySQL and MyISAM tables, are also vulnerable to this attack. Taking into account, that corrupted tables are inaccessible for web application, then it stops to work correctly. The problem can concern as some single functionality of web site, as the whole site - when web application will completely stop to work and only will be showing error message. Until corrupted tables will be repaired. E.g. when to corrupt impotent table in WordPress, then web site stops to work and the message shows at all pages of the site - in old versions of the engine shows "It doesn't look like you've installed WP yet", and in new versions of the engine shows "Error establishing a database connection". And taking into account, that automatic tables repairing is not used in web applications - I am not aware about any such web application - then issues at the site will be until admin repair tables by himself (using any software for work with MySQL, to conduct REPAIR for these tables). As I've wrote about WordPress [3], where in WP 2.9 the developers as though made automatic repairing (after my informing about above-mentioned attack on WP), but, as I found, actually they lay and there was not made automatic tables repairing in the engine, and it was needed to manually run a script of repairing of the tables. Attack vectors. There are the next main attack vectors via tables corruption in MySQL: 1. Conducting DoS attacks. After creation of conditions for corruption of DB tables (via overloading of the site), it's possible to conduct DoS attack on web site. Examples of web applications vulnerable to such attacks are WordPress and IPB. 2. Complete compromise of web site. At existence of installer at the site and after conducting of DoS attack (described in #1) on tables to which installer is sensitive, it's possible to force it to decide, that the engine isn't installed at the site and to reinstall of the engine. Examples of web applications vulnerable to such attacks are WordPress. Conducting of the attack. For the attack it's needed to find a table to which web application is sensible. In my publications about attacks on WordPress and Invision Power Board I've wrote to which tables these engines are sensible (there are differences between different versions of the engines). WP is sensible to the tables wp_options and wp_users, and IPB is sensible to the tables ibf_topics and ibf_session. After that it's needed to find functionality, which uses found sensible table. And overload this functionality in such way to make corruption of the table in DB. And so the attack will be conducted on web site. Conclusion. >From above-mentioned it's clear, that all web applications, which use MySQL and MyISAM tables, are vulnerable to this attack. And there are a lot of such web applications - it can be thousands, if not millions of web applications. Even if it's hard to corrupt table (for conducting of this attack), but such probability exists, so all web developers and administrators of web sites should take this information into account. References: 1. Attack on Abuse of Functionality in WordPress (http://websecurity.com.ua/3152/). 2. Chapter 14. Storage Engines (http://dev.mysql.com/doc/refman/5.0/en/storage-engines.html). 3. DoS vulnerability in WordPress (http://websecurity.com.ua/5774/). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua