[Grum, World's Third-Largest Botnet, Knocked Down]

Merge topics cu asta ??

Oups! Mersi ca ai adus in atentie.

Eu spun ca merge, nu este mentionat in acel thread link-ul catre blog,desi cineva ar putea da un Google Search cu informatiile din el pentru a il gasi sau sa il ia de pe site-ul sursei.

[Grum, World's Third-Largest Botnet, Knocked Down]

I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.

The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported that while CnC servers in Panama and Russia were alive, shutting down the Dutch server had at least made a dent in this botnet. On the morning of July 17, we at FireEye got the news that the server in Panama was no longer active. The ISP owning this server at last buckled under the pressure applied by the community. It was great news. The shutdown of the Panamanian server meant a lot. I explained in my earlier post that Grum was comprised of two different segments. One was being controlled from Panama and one from Russia.

[...]

According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.

[...]

Grum's takedown resulted from the efforts of many individuals. This collaboration is sending a strong message to all the spammers:

"Stop sending us spam. We don't need your cheap Viagra or fake Rolex. Do something else, work in a Subway or McDonalds, or sell hotdogs, but don't send us spam."

Full article

More related

[Angajam programator]

PROGRAMATOR AUTOIT , UBOT la SC ONLINE ADVERTISING INTERNATIONAL SRL, BUCURESTI, Sector 3 - BestJobs

[Pareri configuratie mini ITX]

Am configurat un pc mini ITX, care cu putin noroc o sa il achizitionez.

Am zis sa pun un post pe forum si sa va dati cu parerea si voi despre acest pc.

Link: eMAG.ro

Este configurat de mine, mie mi se pare destul de bun, pentru ceea ce vreau sa fac eu cu el.

-gaming

-photoshop, ae, cinema 4d

Astept si parerile voastre.

Slab procesorul pentru AE.

[Yahoo's password hack shows that it failed security 101]

Avand in vedere autorul articolului (CNN - yeacks) stim cu totii ca buletinele de stiri (si companiile/bransele asociate) mananca mereu rahat cand vine vorba de acest domeniu. Oricum:

As 450,000 passwords exposed, Yahoo fails security 101 -- If it wasn't clear before, it certainly is now: Your username and password are almost impossible to keep safe. Nearly 443,000 e-mail addresses and passwords for a Yahoo site were exposed late Wednesday. The impact stretched beyond Yahoo because the site allowed users to log in with credentials from other sites -- which meant that user names and passwords for Yahoo (YHOO, Fortune 500), Google's (GOOG, Fortune 500) Gmail, Microsoft's (MSFT, Fortune 500) Hotmail, AOL (AOL) and many other e-mail hosts were among those posted publicly on a hacker forum.

Full article: Yahoo fails security 101 as 443,000 passwords exposed - Jul. 12, 2012

Sursa: Yahoo's password hack shows that it failed security 101 - The Community's Center for Security

[Mandriva: 2012:105: pidgin]

Problem Description:

 A vulnerability has been discovered and corrected in pidgin:

 Incorrect handing of inline images in incoming instant messages can
 cause a buffer overflow and in some cases can be exploited to execute
 arbitrary code (CVE-2012-3374).

 This update provides pidgin 2.10.6, which is not vulnerable to
 this issue.

Sursa: Mandriva: 2012:105: pidgin - The Community's Center for Security

[Mandriva: 2012:104: openjpeg]

Pentru cei ce cred ca imaginile nu sunt periculoase: cititi in continuare.

Problem Description:

 Multiple vulnerabilities has been discovered and corrected in openjpeg:

 OpenJPEG allocated insufficient memory when encoding JPEG 2000 files
 from input images that have certain color depths. A remote attacker
 could provide a specially-crafted image file that, when opened in an
 application linked against OpenJPEG (such as image_to_j2k), would cause
 the application to crash or, potentially, execute arbitrary code with
 the privileges of the user running the application (CVE-2009-5030).

 An input validation flaw, leading to a heap-based buffer overflow,
 was found in the way OpenJPEG handled the tile number and size in an
 image tile header. A remote attacker could provide a specially-crafted
 image file that, when decoded using an application linked against
 OpenJPEG, would cause the application to crash or, potentially,
 execute arbitrary code with the privileges of the user running the
 application (CVE-2012-3358).

 The updated packages have been patched to correct these issues.

Sursa: Mandriva: 2012:104: openjpeg - The Community's Center for Security

[Atomic bomb [Challenge]]

[Reversing the bomb by example]

nici eu, asta m-a încurcat , când am v?zut c? flubber l-a modificat ?i n-a zis nimic mi-am dat seama, dar n-am mai avut timp s-o rezolv . mai a?tept?m challenge-uri de genul !

Ce-i drept, si pe mine m-a derutat la inceput cand i-am facut o analiza superficiala. M-am orientat catre valori ca in post-ul #3 a lui pyth0n3 din acest thread, insa dupa un timp i-am trimis PM cu screenshot[1], la care raspunsul a fost sa public binarul.

[1] Screenshot cu challenge-ul rezolvat in Slackware:

[TinKode - Acta - Anon - Regulament]

Cam tarziu (am zis ca o sa postez insa am uitat, iar prin articolul scris de Nemessis, mi-am amintit), insa acestia sunt veneratii Anonymous:

Sincer sa fiu, habar nu am cum au reusit sa intre la o asemenea conferinta, este incredibil. M-a lasat uimit si in acelasi timp dezgustat, mai ales dupa ce m-am uitat la tot clipul.

[Disarm the bomb by cutting the correct wires [CHALLENGE]]

Download bomb.disarmed from Sendspace.com - send big files the easy way

[Basic GAS AT&T Assembly Syntax [Tutorial]]

Am inteles acum la ce te referi tu. Top-ul ca fiind in ordine inversa dupa modelul LIFO (Last In First Out) ar reprezenta top-ul ca fiind ultimul element impins pe stack, asemenator ultimului prosop pus in cosul de rufe este primul ce va fi scos din cosul de rufe. Eu luasem in ordinea in care se executa instructiile, topul pentru mine fiind EBP pentru acel segment, insa ce-i drept, ESP la returnare va spune lui EBP care va fi baza in urmatorul segment.

Ai dreptate in privinta modelului LIFO, scuze. Abordam diferit.

[Basic GAS AT&T Assembly Syntax [Tutorial]]

[...]

Oricum inainte ca valoarea ESP sa fie copiata in EBP , valoarea pe care o are EBP initial vine copiata in stack deoarece EBP la randul lui poate fi folosit in diferite functii.Deci presupunem ca se impinge pe stack adresa de return , in acest moment vine impinsa pe stack si valoarea pe care o detine EBP in momentul respectiv (o copie de backup) dupa care ESP vine copiat in EBP .

[...]

STACK SEGMENT
 ----------- 
 - address -
 -----------
 - address -
 -----------
 - address -
 -----------
 -  return -
 ----------- 
 - EBP(bck)-
 -----------   <- EBP preia ESP aici dupa ce si-a facut o copie de backup pe stack 
 - address -
 -----------   <- ESP devine dinamic de aici 

Doar ca nu am explicat in detaliu conceptul de memory segmentation si de aceea nu am vrut sa vorbesc despre STACK mai mult decat sa ii pomenesc numele.

Intocmai. In cazul care l-am prezentat singura functie este main(), insa chiar daca ar fi fost alte functii (declarate dupa main() si folosite ulterior in aceasta) la fiecare CALL atunci cand se intra in functie, se impinge pe stack o adresa de return insa si EBP, iar valoarea lui ESP este din nou copiata in EBP, insa asa cum ai mentionat si tu, este pentru acel segment de memorie (alocat functiei), in exemplul scris de mine, asta inseamna pana la RET, dupa care la intoarcerea din functie (prin adresa impinsa la inceput de return) valorile revin in registrii si depinzand de functie, valoarea computatiei este returnata in EAX (de cele mai multe ori asa se intampla, EAX fiind Accumulator).

Eu am mentionat faptul ca in post ai scris despre ESP ca acesta arata mereu topul stack-ului cand de fapt, el creste spre 0xffffffff (downwards), iar EBP ramane static. Acesta este motivul pentru care am spus ca faci confuzie, faptul ca trebuia sa specifici EBP in loc de ESP (desi afirmatia ta este partial adevarata, ESP arata pentru inceput top-ul stack-ului pana ce valoarea acestuia este copiata in EBP pentru segmentul respectiv in care se opereaza, iar apoi revenind la segmentul anterior, valorile vor corespunde respectivului pentru a continua flow-ul programului).

[Basic GAS AT&T Assembly Syntax [Tutorial]]

Bineinteles m/am referit la ESP (Extended Stack Pointer) care va sta intotdeauna in top la stack si la EIP (Extended Istruction Pointer( care va detine adresa urmatoarei instructii care vine executate.E doar o greseala de exprimare in context pe care am facuto.

Cred ca faci confuzie intre ESP si EBP.

La inceputul unui executabil in debugger (gdb spre exemplu), valoarea lui ESP este copiata in EBP. Din acest moment EBP va servi ca Base Pointer, iar Stack Pointer-ul (SP) va avea valori diferite acestea depinzand de flow-ul programului si ce se executa (operatii de PUSH, POP, CALL etc.). EBP va avea mereu (spre exemplu) valoarea 0 fiindca ESP se va referi la EBP cand va face diferite "salturi".

Spre exemplu intr-un CALL atunci cand se intra in el pentru executarea continutului, se impinge pe stack o adresa de return, la operatia PUSH a acestei adrese, ESP se va schimba si va folosi EBP pe post de referinta.

[B]$> gcc -g hello.c -o hello[/B]
[B]
$> gdb -q hello[/B]
Reading symbols from /home/x/Desktop/hello...done.
[B](gdb) disassemble main[/B]
Dump of assembler code for function main:
   0x080483b4 <+0>:    push   %ebp[B]    # Extended Base Pointer pe stack[/B] [COLOR=#b22222][B][1][/B][/COLOR]
   0x080483b5 <+1>:    mov    %esp,%ebp    [B]# valoarea lui ESP [/B][B]copiata in EBP - din acest moment EBP va fi "base pointer", 
                 va arata [I]"TOP-ul stack-ului"[/I] in timp ce ESP  va creste in jos (catre 0xffffffff)[/B] [COLOR=#b22222][B][2][/B][/COLOR]
   0x080483b7 <+3>:    and    $0xfffffff0,%esp    [B]# operatie AND[/B] [COLOR=#b22222][B][3][/B][/COLOR]
   0x080483ba <+6>:    sub    $0x10,%esp    [B]# esp - 10[/B]
   0x080483bd <+9>:    movl   $0x8048494,(%esp)    [B]# esp == functia __dso_handle [COLOR=#b22222][4][/COLOR][/B]
   0x080483c4 <+16>:    call   0x80482f0 <puts@plt>    [B]# printf[/B]
   0x080483c9 <+21>:    leave  
   0x080483ca <+22>:    ret    
End of assembler dump.

[4] __dso_handle:

[B](gdb) disassemble 0x8048494[/B]
Dump of assembler code for function __dso_handle:
   0x08048490 <+0>:    add    %al,(%eax)
   0x08048492 <+2>:    add    %al,(%eax)
   0x08048494 <+4>:    dec    %eax
   0x08048495 <+5>:    gs
   0x08048496 <+6>:    insb   (%dx),%es:(%edi)
   0x08048497 <+7>:    insb   (%dx),%es:(%edi)
   0x08048498 <+8>:    outsl  %ds:(%esi),(%dx)
   0x08048499 <+9>:    and    %dh,0x6f(%edi)
   0x0804849c <+12>:    jb     0x804850a
   0x0804849e <+14>:    and    %eax,%fs:(%eax)
End of assembler dump.

[1] 0x080483b4 => valoarea lui ESP in hex la "PUSH EBP" (inainte sa se execute)

[B](gdb) break *0x080483b4[/B]
Breakpoint 1 at 0x80483b4: file hello.c, line 4.
[B](gdb) break *0x080483b5[/B]
Breakpoint 2 at 0x80483b5: file hello.c, line 4.
[B](gdb) break *0x080483b7[/B]
Breakpoint 3 at 0x80483b7: file hello.c, line 4.
[B](gdb) run[/B][I]    [...][/I]


Breakpoint 1, main () at hello.c:4
4    {

[B](gdb) x/h $esp[/B]
0xbffff36c:    0x1ce6    [B]# 7398[/B][B](d)[/B]

[2] 0x080483b5 => valorile lui ESP si EBP in hex dupa ce "PUSH EBP" s-a executat

[B](gdb) continue[/B]
Continuing.

Breakpoint 2, 0x080483b5 in main () at hello.c:4
4    {
[B](gdb) x/h $esp[/B]
0xbffff368:    -3096
[B](gdb) x/h $ebp[/B]
0xbffff3e8:    0    [B]# valoare 0 fiindca a fost impins pe STACK, iar registrul este "initializat" 
                             (este pregatit pentru viitoare operatii) cu valoare 0[/B]

[3] 0x080483b7 => valorile lui ESP si EBP dupa ce s-a executat instructia de "MOV ESP, EBP"

[B](gdb) continue[/B]
Continuing.

Breakpoint 3, 0x080483b7 in main () at hello.c:4
4    {
[B](gdb) x/h $esp[/B]
0xbffff368:    -3096
[B](gdb) x/h $ebp[/B]
0xbffff368:    -3096

Din acest moment, ESP va fi dinamic (isi va schimba valoarea in functie de flow-ul programului), iar EBP nu, el va fi folosit drept referinta (de-aia este si numit Base Pointer).

[B](gdb) disassemble main[/B]
Dump of assembler code for function main:
   0x080483b4 <+0>:    push   %ebp
   0x080483b5 <+1>:    mov    %esp,%ebp
=> 0x080483b7 <+3>:    and    $0xfffffff0,%esp
   0x080483ba <+6>:    sub    $0x10,%esp
   0x080483bd <+9>:    movl   $0x8048494,(%esp)
   0x080483c4 <+16>:    call   0x80482f0 <puts@plt>
   0x080483c9 <+21>:    leave  
   0x080483ca <+22>:    ret    
End of assembler dump.
[B](gdb) break *0x080483c4[/B]
Breakpoint 4 at 0x80483c4: file hello.c, line 5.
[B](gdb) continue[/B]
Continuing.

Breakpoint 4, 0x080483c4 in main () at hello.c:5
5        printf("Hello world!\n");
[B](gdb) stepi[/B]
0x080482f0 in puts@plt ()
[B](gdb) x/h $esp[/B]
0xbffff34c:    -31799
[B](gdb) x/h $ebp[/B]
0xbffff368:    -3096    [B]#[/B] [B]valoarea lui EBP a ramas ca la inceput, neschimbata[/B]

[Basic GAS AT&T Assembly Syntax [Tutorial]]

Felicitari pentru tutorial. Intr-adevar sunt mai multe greseli, si anume:

Dupa cum observati unii registrii au anumite valori precum registrul ESP care va avea intotdeuna o adresa de memorie si anume adresa dintyrun anumit segment de memorie chemat stack (probabil este interesant atunci cand se va scrie un exploit , stack overflow spre exemplu sau buffer overflow).

EIP va detine intotdeuna adresa din top a segmentului de memorie chemat stack. <- ai vrut sa spui ca EBP (Extended Base Pointer) detine adresa din topul stack-ului

[...]

In ultima bucata de cod exista o greseala, astept sa imi spuneti unde e

Eroarea se afla atunci cand este specificata lungimea string-ului ASCII ce trebuie printat de functia "write()"

.text    # codul in sine

.globl _start

_start:
pushl $0x0a6b6f    #  0a 6b 6f(h) => ASCII "\nko" 0a [\n] ; 6b [k] ; 6f [o] -- (little-endian)
mov %esp, %ecx   # muta valoarea lui esp in ecx (dupa schema folosita de AT&T)

mov $0x4, %edx   # 4h in EDX -- functia write
mov $0x4, %eax   # ce ia ca parametru 4h (4d) lungimea string, de fapt trebuie 3      ( len("ok\n") == 3 )

# exit(0)
movl $1, %eax    # exit
movl $0, %eb     # return code 0

int $0x80   # tipic Linux -- process interrupt (pe viitor daca se va discuta despre Exploit Development, modelul Linux-ului de abordare prin process interrupt prezinta o mare gaura de securitate)

Si apropo, ai spus

Vom stampa "OK" pe ecran intrun mod divers sintaxa pentr 32 bit

0x6f 0x6b == "ok" (lower case) , insa ai mentionat "OK" (upper case) in hex asta inseamna: 0x4f 0x4b

Pentru cine vrea sa invete mai multe: The Art of Assembly -- ce foloseste HLA (High Level Assembly -- ce este specificat si de pyth0n3 in primul post din thread)

Insa cine vrea hardcore (pe romaneste: ceva de calitate), sa citeasca manualele de la Intel (cine cauta va fi rasplatit si cine cauta cu adevarat inseamna ca este interesat, Google pentru download link).

[[WEBCAST] CEH Exam Prep Clinic (Part 2/2)]

Pe cine intereseaza, incepe in 24 de ore pe BrightTALK:

http://www.brighttalk.com/webcast/5418/47639

Dureaza doua ore, iar inregistrarea este necesara (din pacate).

Alte webcast-uri - 27,28 Iunie:

Webcast: Jun 27 2012 10:00 pm Where to Begin With GRC in the Cloud? IAAS, PAAS and SAAS
Channel: Information Security Community
Attend: [URL]http://www.brighttalk.com/webcast/5418/46117[/URL]


Webcast: Jun 28 2012 9:00 pm Adobe Acrobat X: Reduce Risk and Protect Documents
Channel: Information Security Community
Attend: [URL]http://www.brighttalk.com/webcast/5418/49457[/URL]

Mai multe despre: CEH (Certified Ethical Hacker) | BrightTALK

[Debian: 2502-1: python-crypto: programming error]

(Jun 24) It was discovered that that the ElGamal code in PythonCrypto, a collection of cryptographic algorithms and protocols for Python used insecure insufficient prime numbers in key generation, which lead to a weakened signature or public key space, allowing easier brute force.

[FONT=Courier]- -------------------------------------------------------------------------
Debian Security Advisory DSA-2502-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
June 24, 2012                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-crypto
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-241[/FONT][FONT=Courier]
[/FONT]

[More...]

[Sugestie limbaj programare.]

In C/C++ chemi doar o functie print cu un exit status

Poftim ti-am tradus codul in assembly AT&T Syntax pentru procesoarele Intel 32 biti

Rezultatul este echivalent cu ceea ce ai scris in C/C++ mai sus sau cu "print hello world" in python doar ca ii spun direct procesorului ce sa faca.

#Declar o sectiune .data pentru a stoca date
.data
#Declar un handler HAND care va detine datele pe care le voi procesa  
HAND: 
#Declar tipul de date .ascii
    .ascii"Hello World\n"

#Declar o sectiune .text care va detine instructiile necesare 
#pentru a processa datele din sectiunea data 
.text

#Declar o sectiune .globl unde voi chema  functii/librarii externe 
#pentru a procesa datele din sectiunea .data 
    .globl _start 

#De la sectiunea _start: incep sa execut instructiile     
_start:
    movl $4,    %eax  #chem in registrul eax functia write (syscall) 
    movl $1,    %ebx  #specific in registrul ebx parametrul functiei (standard output)
    movl $HAND,    %ecx  #chem in registrul ecx adresa in memorie a datelor declarate in HAND 
    movl $12,       %edx  #mut in registrul edx lungimea caracterelor din HAND 

#cu urmatoare instructie ii dau un ordin procesorului sa renunte la ceea ce face si sa faca ceea 
#ce este pus in registrul eax si anume valoarea 4 care corespunde la (write syscall) care nu face 
#altceva decat sa stampeze pe ecran datele care se gasesc la adresa din registrul ecx.
#in sistemele Linux semnalul va fi trimis la CPU de catre Kernel
    int  $0x80       

#Ies din program 
    movl $1,    %eax #chem in registrul eax functia exit (syscall) 
    movl $0,    %ebx #chem in registrul ebx parametrul functiei care de fapt este un exit status 0
# ii dau un ordin procesorului sa execute ceea ce vede in eax acum si anume functia exit     
    int  $0x80

Si uite asa am mai invatat cate ceva despre syscalls in Linux.

Destul de interesant sa cunosti cum se lucreaza sub capota. Mai multe detalii (pe i86) la adresa urmatoare

http://tldp.org/LDP/khg/HyperNews/get/syscall/syscall86.html

[Office 2007 Exploit *UD*]

Se poate sa dai mai multe detalii?

???????

[Administrare pachete software - Linux]

Un examen LPI se bazeaza pe teorie in schimb un RHCSA pe practica.Intrun examen RHCSA daca ai o problema de tipul [...]

Sa nu uitam insa ca intai ti se face training, iar apoi se ia cursul. Insa majoritatea companiilor mari cer acest certificat de la un System Administrator (mai ales daca in acea companie se lucreaza cu sisteme RHEL), iar daca nu, reprezinta un (mare - in opinia mea) plus sa il ai.

Nu doar teoria este indeajuns, insa nici doar practica. Practica fara teorie nu exista, iar teoria de viitor (avansul si imbunatatirea tehnologica?) fara practica tot nu exista, altfel am fi visat cai verzi pe tavan, precum fac regizorii de filme cand vine vorba de scenariu cu hackeri (la o apasare de buton se realizeaza o pana de curent la nivel global, haha).

Puteti vedea video-uri de la RedHat, unele legate de aceste examene (RHCSA, RHCE, RH124, RH290 etc.) la adresa:

http://www.youtube.com/user/RedHatVideos

[Linux Security Audit]

Pe linux ai chattr.

Pe FreeBSD poti folosi chflags (in functie de securelevel, doar in single mai stergi ceva, sau reboot cu alt securelevel)

"A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute."

idsplus ~ # touch rstcenter
idsplus ~ # chattr +i rstcenter 
idsplus ~ # ls -la rstcenter 
-rw-r--r-- 1 root root 0 Jun 17 19:12 rstcenter
idsplus ~ # id
uid=0(root) gid=0(root) groups=0(root)
idsplus ~ # rm rstcenter 
rm: remove regular empty file `rstcenter'? yes
rm: cannot remove `rstcenter': Operation not permitted
idsplus ~ # chattr -i rstcenter 
idsplus ~ # rm rstcenter 
rm: remove regular empty file `rstcenter'? yes
idsplus ~ # 

Mersi frumos, insa, inca mai vreau sa vad sursa ...

Da, curiozitatea moare ultima.

[Linux Security Audit]

Am creat 2 executabile

Unul blocheaza fisierul iar al doilea il deblocheaza, trebuie rulat cu drepturi administrative

Un fisier blocat nu poate fi sters si nici modificat de catre nimeni, nici macar de catre root

USAGE: UnBlock <filename>

USAGE: Block <filename>

Va arata un 0 daca operatiunea a fost executata sau nimic in momentul in care operatiunea nu a fost executata

[...]

Vreo sansa sa imparti codul sursa si cu noi (*whisper*sau macar prin private message hehe*whisper*)?

[Unde e 1 euro?]

Fun facts:

[Linus Torvalds, creatorul Linux, a primit "Nobel-ul" pentru tehnologie]

[...]Cei doi au fost nominalizati ca finalisti ai Millenium Technology Prize inca din luna mai, dar decizia de a le acorda premiul amandurora i-a surprins pe multi.

Oare? Era mai bine sa dea 1.2 milioane de euro fiecaruia sau sa imparta suma la doi si sa scape mai ieftin?

Oricum, felicitari lor.

[MySQL Remote Root Authentication Bypass]

Nici mie nu prea mi-a venit a crede insa mai jos este explicatia (sursa: oss-sec: Security vulnerability in MySQL/MariaDB sql/password.c specificata si in articol/exploit)

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

This issue got assigned an id CVE-2012-2122.

Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not.  Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent. 
Any client will do, there's no need for a special libmysqlclient library.

But practically it's better than it looks - many MySQL/MariaDB builds
are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

As far as I know, official vendor MySQL and MariaDB binaries are not
vulnerable.

Regards,
Sergei Golubchik
MariaDB Security Coordinator

References:

MariaDB bug report: [URL]https://mariadb.atlassian.net/browse/MDEV-212[/URL]
MariaDB fix: [URL="http://bazaar.launchpad.net/%7Emaria-captains/maria/5.1/revision/3144"]http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144[/URL]

MySQL bug report: [URL="http://bugs.mysql.com/bug.php?id=64884"]MySQL Bugs: #64884: logins with incorrect password are allowed[/URL]
MySQL fix: [URL="http://bazaar.launchpad.net/%7Emysql/mysql-server/5.1/revision/3560.10.17"]http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17[/URL]
MySQL changelog:
  [URL="http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html"]MySQL :: MySQL 5.1 Reference Manual :: D.1.2 Changes in MySQL 5.1.63 (07 May 2012)[/URL]
  [URL="http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html"]MySQL :: MySQL 5.5 Reference Manual :: D.1.3 Changes in MySQL 5.5.24 (07 May 2012)[/URL]