A little background: We've just had our PBX system hacked. The server itself seems secure (no logged unauthorised console access - SSH etc), but somehow the hackers have managed to inject a new admin user into the PBX software (FreePBX, backed by MySQL). Apache logs imply that the hackers managed to add the user without using the web interface (or any exploit in the web interface).
Now, I have since discovered that MySQL was running without a root password (!!) and openly bound to the external IP address (Obviously, I have locked this down now). However, the only root level user in MySQL was 'root'@'localhost'
and 'root'@'127.0.0.1'
, both of which should only have been accessible locally.
So, my question is this:
Is there a way of spoofing a connection to MySQL so that it will allow connection to the 'root'@'localhost' user from a remote IP address, WITHOUT running any other exploit locally?
For reference, the box is Centos 5 (Linux 2.6.10) running Mysql 5.0.95.
Answer
No.
MySQL will never log you in to a user with the localhost
or 127.0.0.1
host specification if you aren't coming from the local system. Note that this also covers the auth bypass vulnerability, CVE 2012-2122; the password comparison might be tricked, but the host comparison is not.
You'd need something on the system to proxy off of to "trick" the source host checking. Something like phpmyadmin, or a load balancer like HAProxy running in front of the MySQL TCP port come to mind.
Comments
Post a Comment