MySQL flaw allows attackers to easily connect to server
Posted on 11 June 2012.
A simple but serious MySQL and MariaDB authentication bypass flaw has been revealed by MariaDB security coordinator Sergei Golubchik, and exploits targeting it have already been found in the wild.


"When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256," Golubchik explained.

An attacker who knows a correct username (usually the ubiquitous "root") can easily connect using a random password by repeating connection attempts.

"~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," wrote Golubchik.

The good news in all of this is that only MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 and are vulnerable, so its users should implement the patch (MariaDB, MySQL) immediately.

Metaisploit's HD Moore says that, so far, 64-bit versions of Ubuntu Linux, OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases, while a number of Debian, Gentoo, CentOS and SuSE versions - as well as the official builds from MySQL and MariaDB - seem not to be affected.

"If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come," he pointed out. "One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored 'loot' file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access."

He also added that one of the Metasploit contributors has committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, making it possible to access the database using the cracked password hashes even if the flaw is fixed.

He advised administrators not to expose MySQL servers to the network unnecessarily, and if it must be done, to implement host-based access control.






Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //