Pen-testing opensource databases (MySQL and PostgreSQL)

Are your database secure? No, not the application, the database! Usually, everyone is focused on the application security and consider the database server to be "protected" by the network firewalls. But what if the first layer of defense fails and your database is exposed from the internet or via SQL injection? Will a bad actor be able to escape from the database and get root shell or exfiltrate other database tenants data? Penetration tester's goal is to pretend to be a "bad actor" and try to find all the week spots in a simulated scenarios. I will show a number of "week spots" when dealing with opensource relational databases (MySQL and PostgreSQL) and how to protect from them.

MySQL server attacks YOU! (How we found CVE-2023-21980 in MySQL)

Can MySQL server attack YOU? Can a black hat hacker execute a code on your laptop if you will simply login to a hacked MySQL database server? Is it even possible?

Our research journey began by revisiting a security issue dating back to 2019, an issue that Oracle MySQL never unequivocally acknowledged. While the closest Common Vulnerabilities and Exposures (CVEs) references were CVE-2020-2570, CVE-2020-2574, and CVE-2020-2575, our team discovered that unfixed old client libraries, such as MySQL C/C++ connectors and MySQL ODBC drivers, as well as command line and GUI tools like MySQL CLI and MySQL Workbench, inadvertently permit attackers to execute arbitrary code on the client machine.

But the story doesn't end there. We uncovered another layer of vulnerability: the ability to use a multibyte character set to circumvent a security patch in the MySQL server code. This revelation introduces a brand new zero-day vulnerability in the MySQL server, thereby enabling an attack vector against MySQL client libraries, command line interfaces, and graphical user interface tools. We have submitted this finding to Oracle MySQL, which was fixed in the latest MySQL version. The new CVE-2023-21980 was created and acknowledged in Oracle Critical Patch Update Advisory - April 2023.

Our presentation will unveil a novel attack vector, one where MySQL database clients, including applications using the C API, become the unsuspecting targets of an elaborate attack chain. Our team will demonstrate a complete attack scenario discovered against MySQL client applications, leading to remote code execution. Furthermore, we will illustrate the use of multibyte character set encoding to exploit non-multi-byte-safe or improperly written code.

Confused deputy problem for databases: a method for privilege escalation in MySQL and PostgreSQL

Operation systems had a confused deputy based privilege escalations for ages. But does it exist in a database? Usually the database security is only discussed in the context of protecting the database from the internet.
In the session I will demonstrate a number of cases where a simple select can be used to escalate privilege inside the database. I will also show a novel method of confusing some standard MySQL and PostgreSQL monitoring agents to retrieve private information (i.e. database passwords).

Atomic Honeypot: A MySQL Honeypot That Drops Shells

Meet an attacking MySQL honepot which can “Attack the attackers”. In 2023 we have found a CVE (CVE-2023-21980) in MySQL that allows a rogue MySQL “server” to attack a client connecting to it; attack meaning RCE on the client side. Since then we were thinking on how to use it for good. One obvious application is to create a honeypot which will attack the attackers.

In 2024 we have found another RCE in mysqldump
utility (CVE-2024-21096), so we have created a rogue MySQL server and weaponized it with a chain of 3 vulnerabilities: 1/ arbitrary file read 2/ RCE from 2023 (CVE-2023- 21980) 3/ the new RCE (CVE-2024-21096). With this atomic honeypot we were able to discover 2
new attacks against MySQL server. Using arbitrary file read vulnerability in MySQL we were able to download and analyze the attackers' code and then execute an “attack against attackers” using a chain of exploits.

First presented at Defcon 32 the presentation is expanded with more material