SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Proofpoint Protection Server Vendors:   Proofpoint, Inc.
Proofpoint Protection Server Grants Remote Users Access to the Underlying Database
SecurityTracker Alert ID:  1009175
SecurityTracker URL:  http://securitytracker.com/id/1009175
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2004
Impact:   User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in the Proofpoint Protection Server. A remote user can gain access to the underlying database server.

It is reported that by default, the system configures the included the MySQL database to listen on TCP port 3306 and does not set any password for the 'root' account. A remote user can connect to the database as the 'root' user. This level of privileges allows the remote user to execute INSERT and DELETE commands and to view the contents of the database, the report said.

Impact:   A remote user can access the underlying database and can view the database contents and add new user accounts.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.proofpoint.com/product-mps/overview.php (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Red Hat Linux)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Proofpoint Protection Server remote MySQL root user vulnerability


Product: Protection Server
Version: unknown/Red Hat Linux
Developer: Proofpoint
URL: www.proofpoint.com

Summary:
The MySQL server may be remotely access by the "root" user without using
a password.

Details:

The Proofpoint Protection Server is a software product to filter spam
and other e-mail traffic.  It's installed on Red Hat Linux.  A partial
customer list may be found on their website.

By default, the embedded MySQL 4.0 server binds to the default port (3306/tcp)
on every IP.  The software has no packet filtering or port restrictions
of it's own, so all bound ports are wide open to the network.

The specific flaw is that the "root" user in MySQL is not restricted
from connecting from any host ('%') and additionally the root user HAS
NO PASSWORD.  There are a few minor restrictions on the root user when
logging in from a remote host, such as no Reload_priv (more on this later),
 but basic functions like INSERT and DELETE are allowed.

Exploiting this is as easy as
$ mysql -u root -h a.b.c.d

>From there you can view contents of the different databases, including
dumping the hashed passwords for any of the password-protected users.
 You can then run one of the brute-force MySQL password hash crackers
against them (it's the old-style 16byte hashes).

It is also possible to create new users indirectly by INSERT'ing into
the user table for database mysql.  Remote root will not be able to FLUSH
PRIVILEGES (required to make the user active--this is because no Reload_priv),
 but if the database is restarted for any reason those users will become
active and able to authenticate.  Remote root also has the ability to
delete users.

More destructive operations were not tested due to the accidental nature
of discovery, but use your imagination (certainly a DoS is possible simply
by deleting users required by the system).  Also since the systems are
running on Red Hat, it may be possible to exploit one of several recent
vulnerabilities in the Linux 2.4 kernel through MySQL.



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC