Security professional Nikolaos Rangos, who is better known by his online handle Kingcope, has flooded the Full Disclosure mailing list over the weekend with information and exploits for a number of bugs in MySQL and SSH servers.
Five of the exploits allow attackers shell access with maximum privileges but, according to The H Security, require a legitimate database connection to execute injected code.
Two additional exploits are for a MySQL DoS zero-day and for one that allows the attackers to discover valid usernames, and two more are for Remote Authentication Bypass flaws in FreeSSHD and FreeFTPD.
The disclosed proof-of-concept exploit for a SSH.com Communications Tectia SSH Server Authentication Bypass Remote zero-day vulnerability has been tested and confirmed by researcher Eric Romang, who says that all versions of the server are affected.
“An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication,” he explained, and offered a video of the exploit.
He did the same for the MySQL Database Privilege Elevation zero-day, and confirmed that it allows an attacker with access to a MySQL database through a user having some specific privileges to create a MySQL administrator user. So far, he managed to confirm that the affected versions are 5.0 and 5.1.