Thursday, June 14, 2012

MySQL, CANVAS, and you

The latest MySQL vulnerability is a bit of a weird one - it's a bug in the underlying LibC which means that memcmp is broken in many cases. This is only the case on modern x64 machines, in certain configurations.

Actually exploiting this remotely over the Internet is probably a rare thing. Not only is MySQL rarely exposed, but if you are crazy enough to expose MySQL to the public, then it's more than likely you can't afford a x64 machine or virtual host. We expect our CANVAS customers will largely use this module for internal testing.

So without further ado, here's a movie of Immunity's implementation of it, with some penetration testing ideas for your perusal. You can view it in high quality here, or below in blurry blogger-view.

No comments: