Atomic Honeypot: A MySQL Honeypot That Drops Shells
Alexander Rubin
Audience:
Intermediate
Topic:
Security

Meet an attacking MySQL honepot which can “Attack the attackers”. In
2023 we have found a CVE (CVE-2023-21980) in MySQL that allows a rogue
MySQL “server” to attack a client connecting to it; attack meaning RCE
on the client side. Since then we were thinking on how to use it for
good. One obvious application is to create a honeypot which will
attack the attackers. In 2024 we have found another RCE in mysqldump
utility (CVE-2024-21096), so we have created a rogue MySQL server and
weaponized it with a chain of 3 vulnerabilities: 1/ arbitrary file
read 2/ RCE from 2023 (CVE-2023- 21980) 3/ the new RCE
(CVE-2024-21096). With this atomic honeypot we were able to discover 2
new attacks against MySQL server. Using arbitrary file read
vulnerability in MySQL we were able to download and analyze the
attackers' code and then execute an “attack against attackers” using a
chain of exploits.

DETAILED OUTLINE:

1. Introduction
a. We will start with the short pre-recorded demo: an attacker
connects to the MySQL honeypot, thinking it is a MySQL server, with
intention to perform an ransomeware attack; we will then get shell
access on the attackers’ box.

2. Part 1: MySQL background

We will first explain the MySQL protocol and how it works to
demonstrate how the “rogue” server can attack unsuspecting MySQL
client.
A demonstration of 2019 and 2023 CVEs (CVE-2023-21980) and explain how
they can be used for the “rogue server” attacking MySQL client, this
includes a pre-recorded demo. This part is for background only, the
details were released last year.

A demonstration of the new RCE (CVE-2024-21096) in mysqldump. This is
a newly discovered vulnerability which was recently fixed in MySQL,
includes a pre-recorded demo. This part is new and the details will be
released for the first time.

3. Part 2: Honeypot

Attacking MySQL honeypot: we will then show how we have weaponized 2
RCEs to “attack the attackers” and establish a reverse shell on the
attacker’s system.

A pre-recorded full demo will follow

4. Conclusion

Room:
Room 101
Time:
Saturday, March 8, 2025 - 15:45 to 16:45