WP A Deep Dive into Database Attacks [Part IV]: Delivery and Execution of Malicious Executables through SQL commands (MySQL)

Archive

A Deep Dive into Database Attacks [Part IV]: Delivery and Execution of Malicious Executables through SQL Commands (MySQL)

A Deep Dive into Database Attacks [Part IV]: Delivery and Execution of Malicious Executables through SQL Commands (MySQL)

In a previous post we covered different techniques for execution of SQL and OS commands through Microsoft SQL server that can be used for delivering and executing malicious payloads on the target system. In this post we’ll discuss the same topic for MySQL database.

Creating an executable directly on MySQL server via SQL commands

In the one of the previous posts (link to part I) we mentioned that HEX encoded queries are often used against databases as binary-to-hex conversion methods to create a payload on a target system through SQL commands. A payload is converted from hexadecimal format back to a binary executable, and then gets executed while exploiting different database and operating system features through SQL commands.
We observed the following methods to create and execute executables on MySQL servers’ filesystem:

 Method 1 – via SQL execution

The following example demonstrates a method to create and execute a dynamic-link library (DLL) or a Linux shared object (SO) on a MySQL server – without having direct access permissions to disk:

This attack (which is not new) loads a DLL (which converted to HEX string) into a newly created table yongger2 (“yongger” translates from Chinese as “brave”). This attack then uses the SELECT FROM TABLE… INTO DUMPFILE command to extract the DLL from the new table into the cna12.dll file in MySQL plugin directory. This method works if the plugin directory (the directory named by the plugin_dir system variable) is writable.
Once the DLL is created, MySQL server’s main process (mysqld) is notified about a new xpdl3() function using the CREATE FUNCTION command. This function is a downloader for another executable. It downloads the executable 123.exe through an HTTP request from a remote server (located in China). Then 123.exe is saved as c:\isetup.exe on a target filesystem, executed and then removed from the disk.
The following figure summarizes this attack method:

Figure 1: Technique to create DLL and execute its function using SQL commands

Figure 1: Technique to create DLL and execute its function using SQL commands

Method 2 – via operating system execution

The following example demonstrates a method of writing a binary shared object (SO) directly on a filesystem to MySQL plugin_dir:

The attack steps are as follows:

  • HEX encoded shared object is decoded by the UNHEX function to a binary format and then dumped into a file
  • Set the global log_bin_trust_function_creatorssystem variable to 1 to relax the preceding conditions on function creation (you must have the SUPER privilege and that a function must be declared deterministic or to not modify data)
  • Create sys_eval user-defined function (UDF) from shared object (so)
  • Call sys_eval function which is instructed to download an executable from the attacker’s server (using cURL[1]), change the executable’s permissions to full access (chmod 777) and execute it
Figure 2: Technique to create Shared Object on Linux OS and execute its function using SQL commands

Figure 2: Technique to create Shared Object on Linux OS and execute its function using SQL commands

Download executables to MySQL server via SQL commands

In Mysql database, User-Defined Function (UDF) remains one of the few methods available for running commands on the server through the database.It is supported as a function loaded from an external library, such as DLL or Linux shared object. We’ll describe the method in detail in our next blog in the series.
After attacker uploads or creates an external library on server’s file system, they can execute its functions. Formerly, the attacker abuse UDF functions to download a malicous executables from a remote server.
The following are examples for this technique:

Summary

In this post we covered various methods for executing SQL and OS commands through MySQL database, which can be used to deliver and execute malicious payloads on a targeted system. With the next post in this series, we’ll describe techniques engaged by attackers to perform external and internal reconnaissance and to increase the attack surface.
[1] cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.