aiomysql Arbitrary File Access Vulnerability via LOAD_LOCAL Instruction

A vulnerability in aiomysql, a library for accessing MySQL databases asynchronously, allows arbitrary files to be accessed from the client and sent to a MySQL server. This issue exists in versions through 0.2.0, as the library does not properly check client-side settings before transmitting local files. A malicious MySQL server can exploit this by emulating authorization, disregarding client flags, and requesting files using a LOAD_LOCAL instruction packet. The vulnerability has been patched in version 0.3.0.

Impact

Exploitation of this vulnerability allows a rogue MySQL server to read arbitrary files from the client's filesystem, posing a significant risk of unauthorized data exposure.

Reproduction

To reproduce this vulnerability, first set up a rogue MySQL server that ignores client flags and can send LOAD_LOCAL packets. This can be done using a published tool designed for this purpose. Once the server is running, connect to it using aiomysql with the local_infile option disabled. The server will then be able to request files from the client, bypassing the intended safeguards.

Remediation

Users can upgrade to aiomysql version 0.3.0 or later, where this vulnerability has been fixed.