The Adminer MySQL administration tool <= v4.6.2 can be leveraged to enable remote unauthenticated attackers to exfiltrate data using a flaw in the MySQL protocol. The tool is configured to permit MySQL file transfer operations by default, enabling malicious users to exfiltrate data through the use of malicious MySQL servers. The MySQL documentation warns that as file transfers from the client are initiated by the server, a patched MySQL server could be used to request any arbitrary file in response to any request from the client. The adminer tool does not require any form of authentication to be used and is often found lingering in the root directory of webservers, making it ideal as a client for connecting to malicious MySQL servers.
- A remote unauthenticated attacker locates a vulnerable adminer tool on the target server.
- The attacker uses the adminer tool to connect to a malicious MySQL server with arbitrary credentials.
- The tool automatically sends a 4-byte UTF-8 encoding request as part of the connection triggering a file transfer request from the malicious MySQL server.
- The adminer tool honors the request and transfers the requested file contents to the malicious MySQL server.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Remove the vulnerable adminer PHP script from the webserver and update the adminer tool to the latest version.