Good day command line kung fu!
For all the guys that love security assessment or pentesting tools to automate the process of checking their systems. Here, I've created a new tool called MyAudit.exe, it's a program written in C# running with .net framework 2.0 or higher. It will try to check for possible misconfiguration on the database server. I decided to write this on windows because of some folks requested for a useful pentesting tools that checks MySQL flaws running on remote windows server. Discovered flaws used in this tool can also be found in http://bugs.mysql.com/
This type of tool is called Vulnerability assessment which is a process for assessing the internal and external security controls by identifying the threats that pose serious exposure to the organizations assets.
Without further ado, Ive installed MySQL Community edition on my Windows Box for testing. No configuration have been made and plain default configs.
You can run this tool via windows cmd or powershell. Check out my screenshots on how to use this tool.
Basically after executing the tool, you will be prompt for a choices on what to do, that is you will enter 1 to start auditing mysql server or 2 to exit application.
As you can see, after I entered `1` to audit mysql it will prompt you for credentials of your mysql server for testing.
In summary, it states that there is 0 high risk issues, 4 medium risk and 1 low risk issues. Also tells you where the file have been saved where you run the pentest tool.
For a complete details of the security assessment on my mysql server, here is my dump report.txt
~~ Start of Dump ~~
===========================MySQL Assessment===========================
Severity: Medium
Description:
The PROCESS privilege allows a user to view information about threads and
kill threads with the KILL statement if they have the SUPER privilege. This
privilege can be used to gather information about other users on a MySQL
database.
Solution:
To prevent users from viewing process information, you should revoke the
privilege PROCESS abd SUPER.
shell> mysql -u root [password]
mysql> REVOKE PROCESS ON *.* FROM [username];
mysql> FLUSH PRIVILEGES;
The Following users where found to have the privileges:
User: root, Connection Location: localhost, Process privilege: Y, Super privilege: YUser: root, Connection Location: %, Process privilege: Y, Super privilege: Y
Severity: Medium
Description:
The LOAD DATA statement can load a file that is located on the server host,
or it can load a file that is located on the client host when the LOCAL
keyword is specified.
There are two potential security issues with supporting the LOCAL version
of LOAD DATA statements:
* The transfer of the file from the client host to the server host is
initiated by the MySQL server. In theory, a patched server could be built
that would tell the client program to transfer a file of the server's
choosing rather than the file named by the client in the LOAD DATA statement.
Such a server could access any file on the client host to which the client
user has read access.
* In a Web environment where the clients are connecting from a Web server,
a user could use LOAD DATA LOCAL to read any files that the Web server
process has read access to (assuming that a user could run any command
against the SQL server). In this environment, the client with respect to
the MySQL server actually is the Web server, not the remote program being
run by the user who connects to the Web server.
Solution:
To disable all LOAD DATA LOCAL commands from the server side by starting
mysqld with the --local-infile=0 option.
Note: Great care should be taken when disabling this feature since many
applications rely on this feature.
Severity: Medium
Description:
Logging not enabled. The MySQL server, if configured properly, logs
connection attempts, queries, and other miscellaneous events to a log file.
By logging these events, MySQL provides a way of auditing use of the
database and detecting attacks.
Solution:
To enable general logging in MySQL, you must restart the mysqld with the
--log option. You can also specify the option in the [mysqld] group in the
options file.
The log file is created by starting the msqld using the following option:
-l, --log[=file]
Severity: Medium
Description:
Secure Socket Layer (SSL) is a security protocol that provides communications
privacy over the network. SSL allows client/server applications to communicate
in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Solution:
To enable SSL support in MySQL perform the following steps:
1) Download and install the OpenSSL library from http://www.openssl.org/.
2) Compile MySQL with the option '--with-vio --with-openssl'.
3) If you are running an older version of MySQL, run the mysql_fix_privilege_tables.sh
script to update the mysql.user table.
You can then verify that you have properly compiled the MySQL daemon with
OpenSSL by checking the SHOW VARIABLES LIKE 'have_openssl' and ensuring it
is set to YES.
Severity: Low
Description:
This prevents people from using the SHOW DATABASES statement if they do not
have the SHOW DATABASES privilege. This can improve security if you have
concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value
is ON, the SHOW DATABASES statement is allowed only to users who have the
SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is allowed to all users, but displays
the names of only those databases for which the user has the SHOW DATABASES
or other privilege.
Solution:
Start MySQL with out the --skip-show-database.
##############################################
Date:3/20/2014
MySQL Version: 5.1.46-community
0 High Risk issues where found
4 Medium Risk issues where found
1 Low Risk issues where found
File saved to: D:\report.txt
Visit http://asianzines.blogspot.com for more infosec tools ;)
##############################################
GAME OVER!!!
~~ End of Dump ~~
Yeah cool! It produces report like a boss. ;-)
Download and extract the binary application here:
http://www.mediafire.com/download/ejaobck1kliadxh/MyAudit.zip
SHA1: ca6ce60608c5ebc19e73d1711b8e51ef1a6d7f13
Hope you enjoy my second tool released for windows :)
For all the guys that love security assessment or pentesting tools to automate the process of checking their systems. Here, I've created a new tool called MyAudit.exe, it's a program written in C# running with .net framework 2.0 or higher. It will try to check for possible misconfiguration on the database server. I decided to write this on windows because of some folks requested for a useful pentesting tools that checks MySQL flaws running on remote windows server. Discovered flaws used in this tool can also be found in http://bugs.mysql.com/
This type of tool is called Vulnerability assessment which is a process for assessing the internal and external security controls by identifying the threats that pose serious exposure to the organizations assets.
Without further ado, Ive installed MySQL Community edition on my Windows Box for testing. No configuration have been made and plain default configs.
You can run this tool via windows cmd or powershell. Check out my screenshots on how to use this tool.
Basically after executing the tool, you will be prompt for a choices on what to do, that is you will enter 1 to start auditing mysql server or 2 to exit application.
As you can see, after I entered `1` to audit mysql it will prompt you for credentials of your mysql server for testing.
- Target
- Port
- User
- Password
- Report
In summary, it states that there is 0 high risk issues, 4 medium risk and 1 low risk issues. Also tells you where the file have been saved where you run the pentest tool.
For a complete details of the security assessment on my mysql server, here is my dump report.txt
~~ Start of Dump ~~
===========================MySQL Assessment===========================
Severity: Medium
Description:
The PROCESS privilege allows a user to view information about threads and
kill threads with the KILL statement if they have the SUPER privilege. This
privilege can be used to gather information about other users on a MySQL
database.
Solution:
To prevent users from viewing process information, you should revoke the
privilege PROCESS abd SUPER.
shell> mysql -u root [password]
mysql> REVOKE PROCESS ON *.* FROM [username];
mysql> FLUSH PRIVILEGES;
The Following users where found to have the privileges:
User: root, Connection Location: localhost, Process privilege: Y, Super privilege: YUser: root, Connection Location: %, Process privilege: Y, Super privilege: Y
Severity: Medium
Description:
The LOAD DATA statement can load a file that is located on the server host,
or it can load a file that is located on the client host when the LOCAL
keyword is specified.
There are two potential security issues with supporting the LOCAL version
of LOAD DATA statements:
* The transfer of the file from the client host to the server host is
initiated by the MySQL server. In theory, a patched server could be built
that would tell the client program to transfer a file of the server's
choosing rather than the file named by the client in the LOAD DATA statement.
Such a server could access any file on the client host to which the client
user has read access.
* In a Web environment where the clients are connecting from a Web server,
a user could use LOAD DATA LOCAL to read any files that the Web server
process has read access to (assuming that a user could run any command
against the SQL server). In this environment, the client with respect to
the MySQL server actually is the Web server, not the remote program being
run by the user who connects to the Web server.
Solution:
To disable all LOAD DATA LOCAL commands from the server side by starting
mysqld with the --local-infile=0 option.
Note: Great care should be taken when disabling this feature since many
applications rely on this feature.
Severity: Medium
Description:
Logging not enabled. The MySQL server, if configured properly, logs
connection attempts, queries, and other miscellaneous events to a log file.
By logging these events, MySQL provides a way of auditing use of the
database and detecting attacks.
Solution:
To enable general logging in MySQL, you must restart the mysqld with the
--log option. You can also specify the option in the [mysqld] group in the
options file.
The log file is created by starting the msqld using the following option:
-l, --log[=file]
Severity: Medium
Description:
Secure Socket Layer (SSL) is a security protocol that provides communications
privacy over the network. SSL allows client/server applications to communicate
in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Solution:
To enable SSL support in MySQL perform the following steps:
1) Download and install the OpenSSL library from http://www.openssl.org/.
2) Compile MySQL with the option '--with-vio --with-openssl'.
3) If you are running an older version of MySQL, run the mysql_fix_privilege_tables.sh
script to update the mysql.user table.
You can then verify that you have properly compiled the MySQL daemon with
OpenSSL by checking the SHOW VARIABLES LIKE 'have_openssl' and ensuring it
is set to YES.
Severity: Low
Description:
This prevents people from using the SHOW DATABASES statement if they do not
have the SHOW DATABASES privilege. This can improve security if you have
concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value
is ON, the SHOW DATABASES statement is allowed only to users who have the
SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is allowed to all users, but displays
the names of only those databases for which the user has the SHOW DATABASES
or other privilege.
Solution:
Start MySQL with out the --skip-show-database.
##############################################
Date:3/20/2014
MySQL Version: 5.1.46-community
0 High Risk issues where found
4 Medium Risk issues where found
1 Low Risk issues where found
File saved to: D:\report.txt
Visit http://asianzines.blogspot.com for more infosec tools ;)
##############################################
GAME OVER!!!
~~ End of Dump ~~
Yeah cool! It produces report like a boss. ;-)
Download and extract the binary application here:
http://www.mediafire.com/download/ejaobck1kliadxh/MyAudit.zip
SHA1: ca6ce60608c5ebc19e73d1711b8e51ef1a6d7f13
Hope you enjoy my second tool released for windows :)
0 comments:
Post a Comment