Session
Confused deputy problem for databases: a method for privilege escalation in MySQL and PostgreSQL
Operation systems had a confused deputy based privilege escalations for ages. But does it exist in a database? Usually the database security is only discussed in the context of protecting the database from the internet.
In the session I will demonstrate a number of cases where a simple select can be used to escalate privilege inside the database. I will also show a novel method of confusing some standard MySQL and PostgreSQL monitoring agents to retrieve private information (i.e. database passwords).
Alexander Rubin
Principal Security Engineer, RDS Red Team Lead, Amazon Web Services
Raleigh, North Carolina, United States
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top