06-08, 10:00–10:50 (EST5EDT), Altispeed (JR Ballroom )
Can your MySQL server attack YOU? Can a hacker execute a code on your laptop if you will simply login to a hacked MySQL database server? Is it even possible? Our presentation will unveil a novel attack vector, where MySQL database clients become the unsuspecting targets of an attack chain.
Can your MySQL server attack YOU? Can a black hat hacker execute a code on your laptop if you will simply login to a hacked MySQL database server? Is it even possible?
Our research journey began by revisiting a security issue dating back to 2019, an issue that Oracle MySQL never unequivocally acknowledged. While the closest Common Vulnerabilities and Exposures (CVEs) references were CVE-2020-2570, CVE-2020-2574, and CVE-2020-2575, our team discovered that unfixed old client libraries, such as MySQL C/C++ connectors and MySQL ODBC drivers, as well as command line and GUI tools like MySQL CLI and MySQL Workbench, inadvertently permit attackers to execute arbitrary code on the client machine.
But the story doesn’t end there. We uncovered another layer of vulnerability: the ability to use a multibyte character set to circumvent a security patch in the MySQL server code. This introduced a brand new zero-day vulnerability in the MySQL server, thereby enabling an attack vector against MySQL client libraries, cli, and GUI tools. The issue was fixed in the latest MySQL version. The new CVE-2023-21980 was created and acknowledged in Oracle Critical Patch Update Advisory - April 2023.
The presentation will unveil a novel attack vector, one where MySQL database clients become the unsuspecting targets of an elaborate attack chain. I will demonstrate a complete attack scenario discovered against MySQL client applications, leading to remote code execution.
Alexander is a Principal Security at Amazon Web Services (AWS), leading RDS Red Team.
Alexander was working as MySQL principal consultant/architect for over 15 years, started with MySQL AB in 2006 (company behind MySQL database). His offensive security interest started with playing CTFs and performing opensource security research.