Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2020-14027-MySQL LOAD DATA LOCAL INFILE Attack-Ozeki SMS Gateway/
Disclosures/CVE-2020-14027-MySQL LOAD DATA LOCAL INFILE Attack-Ozeki SMS Gateway/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2020-14027: Ozeki SMS Gateway "LOAD DATA LOCAL INFILE" Attack

The Ozeki SMS Gateway software, versions 4.17.6 and below, allows database connection strings that may contain custom unsafe arguments such as "ENABLE_LOCAL_INFILE".
This can be leveraged by attackers to trigger MySQL "LOAD DATA LOCAL INFILE" (Rogue MySQL Server) attacks.
Successful attacks of this vulnerability can result in unauthorized read access data accessible by the Ozeki Web Application (usually with privileges 'NT Authority\System').

Requirements:

This vulnerability requires:

  • Access to an Ozeki Web Application user that can create/modify DB Connections
  • "MYSQL ODBC" Driver to be installed on the target system

Proof Of Concept:

By default, the Windows "MYSQL ODBC" Driver does not allow the "Local_Infile" feature.

But, because we have full control over the connection string, we can enable this feature at the application level by adding the option "ENABLE_LOCAL_INFILE=1".

This will allow an attacker to use the MySQL Client Driver to read arbitrary files off the victim’s system. In this case we read the "user-admin.txt" config file.