A MySQL zero-day exploit discovered by researcher Dawid Golunski and publicly disclosed on September 12th can give an attacker elevated access and control of the server where the targeted database resides. This affects versions of MySQL from 5.5 to 5.7, as well as MariaDB and PerconaDB.
The exploit combines aspects of privilege escalation and remote code execution attacks, since it requires authenticated access to the database and remotely injecting a shared library into a MySQL configuration file. The authentication requirement, however, can be bypassed if the server is also vulnerable to SQL-injection attacks.
While Golunski initially reported this vulnerability to the database developers in July and both MariaDB and PerconaDB released patches, Oracle has yet to patch the vulnerability. However, the advisory Golunski released this week contains proof-of-concept code which allowed us to develop a simple trigger that monitors MySQL requests to detect potential exploit attempts. The trigger is wrapped up in a bundle along with an alert to provide immediate notifications for suspected exploit attempts, a dashboard with a concise overview of the source and target of the attack, and a more detailed custom record format that also contains the exact SQL query that the trigger flagged.
If you use ExtraHop, this bundle is available to download for free from our bundle gallery here. This bundle will continue to be updated as more info about ways to exploit this vulnerability is released.
If you're not familiar with ExtraHop yet, check out our interactive online demo to learn more.