Researcher releases a slew of MySQL and SSH exploits
Posted on 03 December 2012.
Security professional Nikolaos Rangos, who is better known by his online handle Kingcope, has flooded the Full Disclosure mailing list over the weekend with information and exploits for a number of bugs in MySQL and SSH servers.

Five of the exploits allow attackers shell access with maximum privileges but, according to The H Security, require a legitimate database connection to execute injected code.

Two additional exploits are for a MySQL DoS zero-day and for one that allows the attackers to discover valid usernames, and two more are for Remote Authentication Bypass flaws in FreeSSHD and FreeFTPD.

The disclosed proof-of-concept exploit for a Communications Tectia SSH Server Authentication Bypass Remote zero-day vulnerability has been tested and confirmed by researcher Eric Romang, who says that all versions of the server are affected.

"An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication," he explained, and offered a video of the exploit.

He did the same for the MySQL Database Privilege Elevation zero-day, and confirmed that it allows an attacker with access to a MySQL database through a user having some specific privileges to create a MySQL administrator user. So far, he managed to confirm that the affected versions are 5.0 and 5.1.


How security pros deal with cybercrime extortion

1 in 3 security professionals recommend negotiating with cybercriminals for the return of stolen data or the restoration of encrypted files. 86% of security professionals believed their peers at other organizations have brokered deals with cybercriminals.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Apr 1st