MySQL flaw allows attackers to easily connect to server
Posted on 11 June 2012.
A simple but serious MySQL and MariaDB authentication bypass flaw has been revealed by MariaDB security coordinator Sergei Golubchik, and exploits targeting it have already been found in the wild.


"When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256," Golubchik explained.

An attacker who knows a correct username (usually the ubiquitous "root") can easily connect using a random password by repeating connection attempts.

"~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," wrote Golubchik.

The good news in all of this is that only MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 and are vulnerable, so its users should implement the patch (MariaDB, MySQL) immediately.

Metaisploit's HD Moore says that, so far, 64-bit versions of Ubuntu Linux, OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases, while a number of Debian, Gentoo, CentOS and SuSE versions - as well as the official builds from MySQL and MariaDB - seem not to be affected.

"If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come," he pointed out. "One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored 'loot' file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access."

He also added that one of the Metasploit contributors has committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, making it possible to access the database using the cracked password hashes even if the flaw is fixed.

He advised administrators not to expose MySQL servers to the network unnecessarily, and if it must be done, to implement host-based access control.






Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, you’ll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //