We will start with a definition. MySQL is a relational database management system with different data storage engines, such as MyISAM, InnoDB, Archive and others. Like most open source projects, it has its own branches, for example, MariaDB. Before going into details, I would like to mention that most of discussed vectors/techniques/bugs apply to various engines and branches, though not always.
Well, how could we ‘boost’ privileges on Windows? First of all, we should say that there were found, lately, a lot of vulnerabilities regarding fonts parsing which make the process of privileges elevation rather simple as long as we have a proper exploit. If you use the Metasploit then you need only one command to get the system shell. However, it will only work if the system is not fully patched. In case if the machine has all the updates installed, despite the Linux, we will not be able to find SUID-binaries in here, furthermore the environmental variables usually do not transmitted to services or processes with higher privileges. So, what we can do then?
I guess you have heard about Evilgrade framework that allows to “fix” the update mechanism of the most popular programs (Windows update, Apple update and so on and so forth) by replacing valid files with malicious ones. You probably think that only the application’s updates are vulnerable? Well, you are wrong. I shall be honest with you, it is not that secure to download files from the web as it might be seemed from the first sight. Don’t believe me? Then look, or better say, read.
What is memcached?
But at first let us consider a small introduction. So memcached is a free and open high-performance distributed system for caching objects in memory. It is a storage of “key-value” type located in the operating memory and designed for small “portions” of arbitrary data (string values, numerical values, not infrequently serialized objects in the form of string values) such as results of queries to DB, results of API calls or generation of pages. In addition, memcached is a fully open development, is assembled and operated under UNIX, Windows, OS X and distributed under an open license. It is used by many popular web projects, for example, LiveJournal, Twitter, Flickr, YouTube, Wikipedia, etc. It is a normal network service with host-base authentication, which is operated in loopback interface on port 11211. memcached daemon supports UDP- and TCP-sockets and provides two different protocols for interaction with itself: text and binary. I suppose that this is all what we are to know about the patient so far.
Bug Bounty—vulnerability reward programs for vendors—become more and more widespread. And sometimes, vulnerabilities search detects some evidently insecure areas (e.g., self-XSS) the threat of which is hard to prove. But the larger (or even the smarter) is the vendor (e.g., Google), the more willing it is to discuss, to detect the indicated vulnerability and to reward if successful. This article is a collating of complex situations and the ways to prove a threat and to make the Internet more secure.
As you can remember ( and as a must to remember for each good administrator) it is not a good idea to work as a root user on Linux. In a perfect world you should use it only to configure a server, to install or to update software, by and large, only for purely administrative purposes. The problem is that we live in the real world that is, actually, quite far away from a perfect one. So, the situation is quite common and, generally, because of negligence, wherefore, the Linux users had no choice but to figure out how does their software works. However, if you know how does the system work and understand its safety mechanisms then you will never work as a root user. Anyway, today we are going to review the ways of raising authorities up from the unprivileged user to a root one, unlike the situation with Windows where we were considering the ways of running with administrative privileges. So, let’s start.
Let’s start with the configuration of the Indian who gained recognition on many servers on the web. The first setting we select is the one that prevents an attacker from recognizing the version of Apache. To do this, you can use two directives that have to be set to the following values:
Separate user and group
The second step is to make sure that Apache runs under its own separate user and group. If the same user also manages something else, e.g. DBMS, an attacker who manages to compromise the web server can have access to the database as well.