State Sponsored IE Vulnerability and a 4 Line MySQL Exploit

Some interesting news has come out in the last week about two serious Internet Explorer vulnerabilities and a MySql vulnerability that can be exploited by a four line exploit!

IE VULNERABILITES

Of the two latest Microsoft IE vulnerabilities, CVE-2012-1889 and CVE-2012-1875, the first seems the most interesting. Rumored to be “State-Sponsored” the vulnerability seems to focus on users using Gmail, MS Office and Internet Explorer. And as yet is still an active Zero Day exploit. Security software company Rapid 7 explains the vulnerability as follows:

“This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be “state-sponsored”, and what makes it really critical is it’s still an 0-day hijacking Gmail accounts. That’s right, that means if you’re using Gmail as well as Internet Explorer or Microsoft Office, you’re at risk. We expect this vulnerability to grow even more dangerous since there’s no patch, and it’s rather easy to trigger.”

The second IE exploit has been patched, but as yet there is no patch for CVE-2012-1889. Microsoft does offer a “FixIt” program as a work around until an official patch is released.

Rapid 7, the creative geniuses behind Metasploit, have already released exploit modules for both IE vulnerabilities so you can test your systems to see if they are vulnerable to the attack.

MySQL VULNERABILITY

Earlier this month, an advisory about a serious vulnerability in MySQL and MariaDB was released. According to a post on Seclists.org a situation exists where an attacker may be able to trick MySQL in allowing you to log in without a password by repeating log in attempts:

When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not.  Because the protocol uses random strings, the probability of hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.

Security Expert David Kennedy (aka ReL1K) has released a four line Python exploit script to test for the vulnerability. Other sites say that the vulnerability can be written in a single shell line! Metasploit has released a module that uses the Authentication Bypass to dump usernames and password hashes from the MySQL server.

Fortunately only certain versions of MySQL and MariaDB are vulnerable. Check the security advisory for more information.

Hackers to Elect next President?

Ahh voting… Like baseball and apple pie, it is another thing that makes America great.

But one problem that we have had for a long time is how to get military personnel and citizens who are overseas the ability to vote? 

It looks like Washington, DC was set to receive a brand spanking new way for absentee voters to vote over the internet.

The problem is that no-one saw the “Hacker Inside” label on the system.

Luckily, the voting system was tested by University of Michigan security gurus before going live. The result? After voters cast their ballot, they were greeted with the Michigan fight song “The Victors!” Nice…

More information about the system and the hack were found on The Register yesterday. According to the article, the voting system used a MySQL database running on an Apache server and was written on the Ruby on Rails framework.

The would-be hackers found that they could attach system command strings to ballots, which the system would execute when the ballot was uploaded.

“A file named “ballot.$(sleep 10)pdf,” for instance, caused the server to pause for 10 seconds. They used similar techniques to install a backdoor on the system that allowed them almost unfettered system access.”

Not only did they have complete access to the system, they also found the database username and password. So I am guessing that with this information they would be able to tell not only which candidate a citizen voted for, but also, create new or even change existing votes.

Thank goodness the system was tested before it went live. And you thought that missing ballots and dead people voting was a problem…