Posted on

Mamba Ransomware Encrypts Hard Drives Rather Than Files

Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive.

The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.

Related Posts

September 20, 2016 , 11:40 am

September 16, 2016 , 2:46 pm

September 14, 2016 , 2:53 pm

Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.

“Mamba encrypts the whole partitions of the disk,” Marinho said. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”

The malware is a Windows threat, and it prevents the infected computer’s operating system from booting up with out a password, which is the decryption key.

The victims are presented with a ransom note demanding one Bitcoin per infected host in exchange for the decryption key and it also includes an ID number for the compromised computer, and an email address where to request the key.

Mamba joins Petya as ransomware targeting computers at the disk level. Petya encrypted the Master File Table on machines it infected. Mamba, however, uses an open source disk encryption tool called DiskCryptor to lock up the compromised hard drives.

Petya was a game-changer among ransomware families. It spread initially among German companies targeting human resources offices. Emails were sent that contained a link to a Dropbox file that installed the ransomware. The malware showed the victim a phony CHKDSK process while it encrypted the Master File Table in the background.

Researchers quickly analyzed Petya’s inner workings and by understanding its behavior, were able to build a decryptor shortly after the first infections were disclosed.

More than a month after Petya surfaced, a variant was found that included a new installer. If the installer failed to install Petya on the compromised machine, it installed a less troublesome ransomware strain known as Mischa. Petya included an executable requesting admin privileges that caused Windows to flash a UAC prompt; if the victim declined at the prompt, the malware would install Mischa instead of Petya.

Mischa behaves like most of the ransomware many are familiar with. Once the victim executes link sent in a spam or phishing email, the malware encrypts local files and demands a ransom of 1.93 Bitcoin, or about $875 to recover the scrambled files.

via https://ift.tt/2cFo7RQ

Posted on

Identity and personal data theft account for 64% of all data breaches

Data breaches increased 15% in the first six months of 2016 compared to the last six months of 2015, according to Gemalto.

Breach Level Index

Worldwide, there were 974 reported data breaches and more than 554 million compromised data records in the first half of 2016, compared to 844 data breaches and 424 million compromised data records in the previous six months. In addition, 52% percent of the data breaches in the first half of this year did not disclose the number of compromised records at the time they were reported.

Breach Level Index

The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful.

According to the Breach Level Index, more than 4.8 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. For the first six months of 2016, identity theft was the leading type of data breach, accounting for 64% of all data breaches, up from 53% in the previous six months. Malicious outsiders were the leading source of data breaches, accounting for 69% of breaches, up from 56% in the previous six months.

“Over the past twelve months hackers have continued to go after both low hanging fruit and unprotected sensitive personal data that can be used to steal identities,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “The theft of user names and account affiliation may be irritating for consumers, but the failure of organizations to protect sensitive personal information and identities is a growing problem that will have implications for consumer confidence in the digital services and companies they entrust with their personal data.”

Healthcare data breaches increase 25%

Across industries, the healthcare industry accounted for 27% of data breaches and saw its number of data breaches increase 25% compared to the previous six months. However, healthcare represented just 5% of compromised data records versus 12% in the previous six months.

Government accounted for 14% of all data breaches, which was the same as the previous six months, but represented 57% of compromised records.

Financial services companies accounted for 12% of all data breaches, a 4% decline compared to previous six months, but accounted for just 2% of compromised data records.

Retail accounted for 11% of data breaches, and declined 6% versus the previous six months, and accounted for 3% of compromised data records.

Education accounted for 11% of data breaches and represented less than one percent of all compromised records. All other industries represented 16% of data breaches and 16% of compromised data records.

In terms of top three geographic regions for reported data breaches, 79% were in North America, 9% were in Europe, and 8% were in Asia-Pacific.

Breach Level Index

Not all data breaches are equal

As data breaches continue to grow in frequency and size, it is becoming more difficult for consumers, government regulatory agencies and companies to distinguish between nuisance data breaches and truly impactful mega breaches,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “News reports fail to make these distinctions, but they are important to understand because each have different consequences. A breach involving 100 million user names is not as severe as a breach of one million accounts with social security numbers and other personally identifiable information that are used for financial gain.”

“In this increasingly digital world, companies, organizations and governments are storing greater and greater amounts of data that has varying levels of sensitivity. At the same time, it is clear that data breaches are going to happen and that companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach. That is why more focus needs to be understanding what really constitutes sensitive data, where it is stored, and using the best means to defend it. At the end of the day, the best way to protect data is to kill it. That means ensuring user credentials are secured with strong authentication and sensitive data is protected with encryption so it is useless to the thieves.”

via https://ift.tt/2cqENwH

Posted on

Chinese researchers hijack Tesla cars from afar

Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

The vulnerabilities were discovered by researchers from Tencent’s Keen Security Lab, and responsibly disclosed to Tesla. The company’s Product Security Team confirmed them, and implemented fixes in the latest version of the firmware.

Tencent’s researchers understandably didn’t reveal details about the flaws, but have provided a video demonstration of the attacks:

VIDEO

They have managed to remotely open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. But they have also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from 12 miles away.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected,” they noted.

“The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia). Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” a Tesla spokesperson told ZDNet.

The software update fixing the flaws has already been deployed over-the-air, so details about them should soon be revealed.

via https://ift.tt/2cro7F6

Posted on

BBQSQL – Blind SQL Injection Framework

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

BBQSQL - Blind SQL Injection Framework

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

Features

The most important thing to note about BBQSQL is that it doesn’t care about the data or database, whilst most SQL Injection tools are built with specific databases or languages in mind.

  • Exploits Blind SQL Injection Vulnerabilities
  • Semi-Automatic
  • Database Agnostic
  • Versatile
  • Utilises Two Search Techniques (binary_search & frequency_search)
  • Concurrent HTTP requests
  • Config Import/Export
  • Custom Hooks
  • Fast

Usage

Similar to other SQL Injection tools you must provide certain request information for the tool to work, for BBSQL this is:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

root@darknet:~# bbqsql

    _______   _______    ______    ______    ______   __      

   |       \ |       \  /      \  /      \  /      \ |  \      

   | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$      

   | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$      

   | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$      

   | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$      

   | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____

   | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \

    \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$

                     \$$$                \$$$

 

                   _.()._

                .‘         ‘.

               / ‘or ‘1‘=’1  \

               |‘-…___…-‘|

                \    ‘=’    /

                 `‘._____.’`

                  /   |   \

                 /.‘|’.\

              []/‘-.__|__.-‘\[]

                      |

                     []

 

    BBQSQL injection toolkit (bbqsql)        

    Lead Development: Ben Toews(mastahyeti)        

    Development: Scott Behrens(arbit)        

    Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K)    

    SET is located at: https://https://ift.tt/2d5nDTV

    Version: 1.0              

    

    The 5 Ss of BBQ:

    Sauce, Spice, Smoke, Sizzle, and SQLi

    

 

 

Select from the menu:

 

   1) Setup HTTP Parameters

   2) Setup BBQSQL Options

   3) Export Config

   4) Import Config

   5) Run Exploit

   6) Help, Credits, and About

 

  99) Exit the bbqsql injection toolkit

 

bbqsql>

HTTP Parameters

BBQSQL has many https parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

  • files
  • headers
  • cookies
  • url
  • allow_redirects
  • proxies
  • data
  • method
  • auth

You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template the tool wont know where to insert the query.

You can download BBQSQL here:

bbqsql-v1.1.zip

Or read more here.

via https://ift.tt/2d5meg6

Posted on

324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Around 324,000 users have likely had their payment records stolen either from payment processor

BlueSnap

or its customer

Regpack

; however, neither of the company has admitted a data breach.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments.

The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap.

The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate.

Payment Card Data Including CVV Codes Leaked

The data contains users’ details registred between 10 March 2014 to 20 May 2016 and includes names, email addresses, physical addresses, phone numbers, IP addresses, last four digits of credit card numbers, even CVV codes, and invoice data containing details of purchases.

According to Hunt, who owns ‘

Have I Been Pwned

‘ breach notification service, some evidence like file names containing ‘BlueSnap’ and ‘Plimus’ in it suggests that the data comes from BlueSnap.

Plimus is the original name of BlueSnap, which was rebranded after private equity firm Great Hill Partners acquired it for $115Million in 2011.

However, since April 2013, Regpack has been using BlueSnap’s payment platform, it could be possible that the stolen data has come from Regpack.

“We have got 899 totally separate consumers of the Regpack service…who send their data direct to Regpack who pass payment data onto BlueSnap for processing,” Hunt explained in a blog post

“Unless I am missing a fundamental piece of the workflow… it looks like accountability almost certainly lies with one of these two parties.”

Whatever the source is, but the primary concern here is that more than 320,000 stolen users financial information is floating around the web.

Although the payment data does not contain full credit card numbers, as Hunt stressed, cyber criminals can still misuse the compromised information, particularly the CVV codes that are highly valuable payment data, which can be used to conduct “card not present” transactions.

Also, the last four digit of any user’s credit card number can also be used for identity verification that’s very useful in conducting social engineering attacks.

Hunt contacted BlueSnap as well as Regpack, but they both denied suffering a data breach. He has also loaded as many as 105,000 email addresses into

Have I Been Pwned

, so you can search for your address on the site to check whether you are impacted by the breach.

via https://ift.tt/2cTuPXt

Posted on

PunkSPIDER – A Web Vulnerability Search Engine

PunkSPIDER is a global-reaching web vulnerability search engine aimed at web applications. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly.

PunkSPIDER - A Web Vulnerability Search Engine

In simple terms, that means the authors have created a security scanner and the required architecture that can execute a large number of web application vulnerability scans: all at the same time. The tool, or rather arsenal, works off an Apache Hadoop cluster and can handle tens of thousands of scans.

How Can I See if a Website I Use is Vulnerable?

Searching for a specific website is easy! If you know the URL of your site you can simply type the URL in the search box (without https or https) and find your website. Once there you will be presented with the number of vulnerabilities present on the site.

Let’s try an example together, let’s say you’re looking to check if our the New York Times website https://www.nytimes.com is vulnerable. You could type in www.nytimes.com in the search bar, and you should receive a result back that looks like the following:

www.nytimes.com

Scanned: 20140518T12:30:55.000055Z

bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | xpathi:0 | Overall Risk:0

The first line gives you the domain of the result. The timestamp field on line 2 is the time that the site was added to our system. Below that is the interesting part, the total number of vulnerabilities found on the website. If you’re non-technical, you can ignore almost every part of that and just look at the Overall Risk field – this will tell you the risk of visiting a website.

As a rule of thumb anything with an Overall Risk of 1 should make you very wary, anything with an Overall Risk of greater than 1 you should stay away from entirely.

What Types of Vulnerabilities does PunkSPIDER Map?

Check it out here:

https://ift.tt/1EVyh7U

via https://ift.tt/2c7q5fF

Posted on

Security Frameworks Based Auditing with Nessus

How many security frameworks or compliance standards does IT need? If you ask compliance professionals, the answer would be, “Oh, just one more.” If you ask any IT professional, the most likely answer would be, “Oh gosh, not one more!” And yet organizations have been inundated with compliance standards; and it’s not always clear how well they comply or how good their internal processes are when stacked up against industry-wide accepted standards.

In general, security standards all attempt to do very similar things. Namely, wrapping some sort of structure around processes and helping to define a baseline posture. Some standards take a general and all-encompassing road, while others attempt to focus on a particular technical area or business sector. Because of this, a natural and significant overlap emerges.

Security standards all attempt to do very similar things … Because of this, a natural and significant overlap emerges

For example, take asset inventory recommendations. Many standards have a section devoted to inventory management, which has been well documented by experienced professionals as a key first step in assessing risk. NIST 800-53 defines some of this in section CM-8, CSC in CSC-1, the NIST Cybersecurity Framework (CSF) uses ID.AM-1, and so on. In fact, the overlap is so common that CSF includes a whole section devoted to which standards each of its controls map to.

The overlap may seem initially like a weakness, but quickly proves to be the opposite. If you look at the overlap as redundancy-not-wastefulness the strength of this overlap comes into focus. The redundant items across standards begin to take on the tone of a common language, and from there the small differences between industries or departments become manageable edge cases and outliers.

Compliance standards and Tenable audit files

The majority of the Nessus® compliance audit files and the checks within can be traced directly back to a benchmark or other source document such as a DISA STIG (Defense Information Systems Agency, Security Technical Implementation Guide) or CIS (Center for Internet Security) guide. These source documents lay out the items that should be tested and the specific values that have been deemed acceptable. These source documents didn’t just appear out of nowhere; in most cases, they grew from an attempt to turn the general structures in one (or more) of the security standards into actionable items.

For example, here’s a check from the CIS Windows 7 Configuration Benchmark:

1.1.1 Enforce password history

which in turn maps directly to NIST 800-53 control IA-5, PCI-DSS item 8.2.5 and CSF section PR.AC-1 and many others as you can see in the example below. There are countless such examples throughout the audit files.

<custom_item>
  type    	: PASSWORD_POLICY
  description : "1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'"
    see_also : "https://ift.tt/2cHmEwR;
  reference : "800-53|IA-5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.5,800-171|3.5.10,800-171|3.5.7,800-171|3.5.8,800-171|3.5.9,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3"
  value_type  : POLICY_DWORD
  value_data  : [24..MAX]
  password_policy : ENFORCE_PASSWORD_HISTORY
</custom_item>

Cross-references in Nessus audit files

Over the last few months, Tenable has invested time in adding extensive compliance cross-references across all the audit files, in both Nessus and SecurityCenter™. So for example, if you run a CIS Benchmark Compliance scan as part of your normal process, you will also be collecting information in relation to NIST 800-53, CIS CSC and ISO 27001 at the same time. All of these results are immediately available, attached to each check result when your scan has completed, and then you can run more specific SecurityCenter dashboards for the relevant standards.

Standards cross-referenced in Nessus audits

Currently, Tenable has also added cross-references to Nessus audits for many different standards, ranging from general ones like NIST 800-53 and ISO 27001 to industry-specific standards like NERC CIP. Keep in mind though, that not every audit item maps to every other standard. Only those items that are specifically related to a given control within a standard have been assigned a cross-reference.

Here’s a short list of standards for which cross-references have been added:

Benefits to end users

Even if your specific environment is only concerned with one or two security standards, having the ability to communicate outward to partners or outside organizations will often pay dividends. The cross-reference enables you to communicate internally in terms that different audiences find useful. The cross-reference gives you the ability to speak in terms of PCI to compliance teams, NIST 800-53 to technical and security groups, and ISO 27001 to policy makers and executives. 

Here’s a sample SecurityCenter NIST 800-53 Dashboard using the 800-53 cross-references:

NIST 800-53 Dashboard

Wrap-up

While working with standards isn’t likely to replace a good movie or book as your first choice for a lazy weekend, if we take a step back and forget all the times that standards have been misused as an insurmountable roadblock, you might see something interesting that can improve your security posture.

via https://ift.tt/2cEj4Cb

Posted on

Massive Data Breach Exposes 6.6 Million Plaintext Passwords from Ad Company

Another Day, Another Data Breach! And this time, it’s worse than any recent data breaches.

Why?

Because the data breach has exposed plaintext passwords, usernames, email addresses, and a large trove of other personal information of more than 6.6 Million ClixSense users.

ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest victim to join the list of “

Mega-Breaches

” revealed in recent months, including

LinkedIn

,

MySpace

,

VK.com

,

Tumblr

, and

Dropbox

.

Hackers are Selling Plaintext Passwords and Complete Website Source Code

More than 2.2 Million people have already had their personal and sensitive data posted to PasteBin over the weekend. The hackers who dumped the data has put another 4.4 Million accounts up for sale.

In addition to un-hashed passwords and email addresses, the dump database includes first and last names, dates of birth, sex, home addresses, IP addresses, payment histories, and other banking details of Millions of users.

Troy Hunt, operator of

Have I Been Pwned

? breach notification service, verified the authenticity of the data taken from ClixSense.

Besides giving away 4.4 Million accounts to the highest bidder, the hackers are also offering social security numbers of compromised users, along with the complete source code of the ClixSense website and “70,000 emails” from the company’s internal email server, according to a Pastebin message advertising the stolen database.

PasteBin has since removed the post as well as the sample of the compromised database that contained user account information.

Here’s How Hackers Hacked ClixSence:

ClixSense

admitted

the data breach and said some unknown hackers were able to get access to its main database through an old server which the firm was no longer using, but at the time, still networked to its main database server.

After gaining access, the hacker was able “to copy most, if not all” of the ClixSense users table, ran SQL code to change account names to “hacked account,” deleted several forum posts, as well as set account balances of users to $0.00.

While talking to

Ars Technica

, ClixSense owner Jim Grago admitted that the database contained entries for roughly 6.6 Million accounts and that the company became aware of the breach on September 4 and managed to regain control of their DNS over the weekend.

“This all started last Sunday, September 4th about 5 am EST when my lead developer called me and said ClixSense was redirecting to a gay porn site. The hackers were able to take over our DNS and setup the redirection,” Grago wrote.
“On Monday (Labor day) they were able to hack into our hosting provider and turned off all of our servers, hacked into our Microsoft Exchange server and changed the passwords on all of our email accounts. On Tuesday they were able to gain access to a server that was directly connected to our database server and get a copy of our users table.”

Change Your Passwords and Security Questions Now

Users are strongly advised to change their passwords for ClixSence account immediately, and it would also be a good idea to reset passwords for all of your other online services, especially those using the same passwords.

Since ClixSense uses a large trove of personal information on its users, make sure you change your security questions, if it uses any of the information you provided to ClixSense, such as your address, date of birth, or other identifying information.

Moreover, I recommend you to use a

good password manager

to create strong and complex passwords for your different online accounts, and it will remember all of them on your behalf.

I have listed some of the

best password managers

that could help you understand the importance of password manager and choose one according to your requirement.

via https://ift.tt/2cNjnbk

Posted on

PCI Council wants more robust security controls for payment devices

The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

payment devices

Specifically, version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements emphasizes more robust security controls for payment devices to prevent physical tampering and the insertion of malware that can compromise card data during payment transactions.

The updates are designed to stay one step ahead of criminals who continue to develop new ways to steal credit and debit card data from cash machines, in-store and unattended terminals and mobile devices used for payment transactions. Payment devices that directly consume magnetic stripe information from customers remain a top target for data theft, according to the 2016 Data Breach Investigation Report from Verizon.

“Criminals constantly attempt to break security controls to find ways to exploit data. We continue to see innovative skimming devices and new attack methods that put cardholder data at risk for fraud,” said PCI Security Standards Council CTO Troy Leach. “Security must continue to evolve to defend against these threats. The newest PCI standard for payment devices recognizes this challenge by requiring protections against advancements in attack techniques.”

A summary of PCI PTS POI Modular Security Requirements version 5.0 updates are available here.

Vendors can begin using PCI PTS POI Modular Security Requirements version 5.0 now for payment device evaluations. Version 4.1 will retire in September 2017 for evaluations of new payment devices.

“With EMV chip the industry is improving protections against skimming and other attacks to reduce fraud,” added PCI Security Standards Council General Manager Stephen Orfei. “But no technology is bulletproof. In this ongoing battle against criminal attacks, we must continue to adapt the way we secure payments. With the latest PCI device standard, PCI is driving the evolution of global industry data security standards that protect payment transactions now and in the future.”

via https://ift.tt/2cStf71

Posted on

New MySQL Zero Days — Hacking Website Databases

Two critical zero-day vulnerabilities have been discovered in the world’s 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.

Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and PerconaDB.

Golunski further went on to publish details and a

proof-of-concept exploit

code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB.

Both MariaDB and PerconaDB had fixed the vulnerabilities, but Oracle had not.

The vulnerability (CVE-2016-6662) can be exploited by hackers to inject malicious settings into MySQL configuration files or create their own malicious ones.

Exploitation Vector?

The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin).

“A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running,” Golunski explained in an advisory published today.

This could result in complete compromise of the server running the affected MySQL version.

The researcher also warned that the vulnerability could be exploited even if SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service on the major Linux distributions.

The flaw actually resides in the mysqld_safe script that is used as a wrapper by many MySQL default packages or installations to start the MySQL service process.

The mysqld_safe wrapper script is executed as root, and the primary mysqld process drops its privilege level to MySQL user, Golunski examined.

“If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot, etc.)”

The researcher will soon release details and full exploit code for CVE-2016-6663, the flaw that allows low-privileged attackers to make exploitation trivial.

Golunski reported the zero-day flaws to Oracle on July 29 and other affected vendors on July 29.

While Oracle acknowledged and triaged the report, scheduling the next Oracle CPUs for October 18, 2016, MariaDB and PerconaDB patched their versions of the database software before the end of August.

Since more than 40 days have passed and the two vendors released the patches to fix the issues, Golunski said he decided to go public with the details of the zero-days.

via https://ift.tt/2clFaHA