Security Advisory

ruby-mysql / Metasploit Arbitrary File Read

By exploiting an insecure design in the MySQL protocol, adversaries can extract arbitrary files from the ruby-mysql client or a Metasploit host.

Advisory ID: MLSA-2021-001
CVE: CVE-2021-3779
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: medium
Affected versions: all versions
Fixed versions: ≥ 2.10.0
Discovered by: Hans-Martin Münch

Product description

ruby-mysql is a MySQL client library. It is written entirely in Ruby. Therefore libmysqlclient is not required and no compilation is required during installation.

Details

MySQL provides a LOAD DATA LOCAL command. Due to a design issue, it is possible that a malicious MySQL service can trick the client into sending an arbitrary file to the server, even if the client did not send/use a LOAD DATA LOCALcommand in the first place.

To quote the MySQL documentation:

Because LOAD DATA LOCAL is an SQL statement, parsing occurs on the server side, and transfer of the file from the client host to the server host is initiated by the MySQL server, which tells the client the file named in the statement. In theory, a patched server could tell the client program to transfer a file of the server’s choosing rather than the file named in the statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)

To combat this, most MySQL-client implementations, especially if they are based on libmysql have this disabled by default. However, this change has never been applied to ruby-mysql (which written in pure Ruby).

ruby-mysql is used in the Exploitation Framework Metasploit to allow the creation of modules that interact with MySQL database services. Thus, most MySQL-related modules become affected. A malicious MySQL server can exploit this to read senstive files from the Metasploit hosts, for example the private SSH key of the user, or the Metasploit configuration file.

GitHub provides multiple existing implementations for such a malicious MySQL service.

Coordinated Disclosure Timeline

Note: Vulnerability disclosure to the ruby-gem maintainer was handled by Rapid7.

  • 02/09/2021 Issue reported to Rapid7’s security contact as a Metasploit issue, #9286.
  • 07/09/2021 Rapid7 validated the issue, reserved CVE-2021-3779, and contacted the vulnerable gem maintainer, Tomita Masahiro.
  • 08/09/2021: Metasploit Framework temporary remediation committed.
  • 08/09/2021: Notified CERT/CC and RubyGems for disclosure coordination, as the gem appeared to be abandoned by the maintainer given no updates in several years.
  • 09/09/2021: Notified JPCERT/CC through VINCE on CERT/CC’s advice, as VU#541053.
  • 10/09/2021: JPCERT/CC acknowledged the issue and attempted to contact the gem maintainer.
  • 18/10/2021, 2021: Maintainer responded to JPCERT/CC, acknowledging the issue.
  • 22/10/2021, 2021: Fixed version 2.10.0 released, Rapid7 notified Hans-Martin of the fix.
  • 16/02/2022: CERT/CC asks for an update on the issue, Rapid7 communicates the fix to CERT/CC and JPCERT/CC.
  • 06/06/2022: CERT/CC asks for an update, Rapid7 commits to sharing disclosure documentation.
  • 14/06/2022: Rapid7 shares disclosure details with CERT/CC and Hans-Martin, and asks JPCERT/CC to communicate this document to Tomita.
  • 28/06/2022: Rapid7 blog post.