MySQL Design Flaw Allows Malicious Servers to Steal Files from Clients (Jan 21, 2019)
The file interaction feature of a “MySQL” database and a client-host is known and documented to contain a design flaw that could allow a threat actor to gain access to all information that the connected client “has read access to.” The MySQL documentation explains that the issue resides in the way clients receive fine-transfer requests from a MySQL server. If a request is made, the client responds with a “LOAD DATA” statement. A malicious server controlled by a threat actor could then respond with “LOAD DATA LOCAL” statement and request any data the client has read-permissions access. Actors could abuse this known flaw with publicly available code for malicious MYSQL servers.
Recommendation: Publicly available code that could be abused by threat actors significantly increases the likelihood that threat actors of all levels of sophistication will attempt to abuse this flaw. Security researcher Willem de Groot believes that the financially-motivated MageCart campaigns abused this flaw in some of their attacks. It is important that MySQL servers are configured in a way that they will only to connect to trusted servers.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.