A design flaw has been discovered in the file transfer interaction between a client host and a MySQL server. The bug allows threat actors operating a malicious MySQL server to obtain any data the connected client has read access to. In short, due to this design flaw, a malicious MySQL server can be deployed to steal files from clients.
The MySQL Design Flaw, Explained
More specifically, the issue lies with the LOAD DATA statement which is used with the LOCAL modifier. According to the MySQL documentation, this is considered a danger to security. It should be noted that the LOAD DATA statement can load a file located on the server, and in case the LOCAL keyword is used in the request, this is done on the client host.
Furthermore, the transfer of the file from the client host to the MySQL server host is initiated by the server. A client receives file-transfer requests from the MySQL server based on the information provided in the LOAD DATA statement. A malicious server may be able to send a LOAD DATA LOCAL statement to the client in order to obtain access to any file with read permission.
According to the official documentation of MySQL, “a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement.”
The documentation also says that “to avoid LOAD DATA issues, clients should avoid using LOCAL. To avoid connecting to untrusted servers, clients can establish a secure connection and verify the server identity by connecting using the –ssl-mode=VERIFY_IDENTITY option and the appropriate CA certificate.”
It should also be noted that the design flaw also affects web servers that connect to a MySQL server while acting as clients. In this case, a threat actor can trigger the flaw to steal information such as the /etc/passwd file.
Security researcher Willem de Groot believes thatMagecart hackers exploited the vulnerability to inject skimming code into vulnerable online shopping websites.