what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mysql.txt

mysql.txt
Posted Feb 10, 2000
Authored by Emphyrio

There exists a vulnerability in the password checking routines in the latest versions of the MySQL server, that allows any user on a host that is allowed to connect to the server, to skip password authentication, and access databases. All versions of MySQL up to 3.22.26a are vulnerable.

tags | exploit
SHA-256 | 5f5a4fb2100d5e175dc80ad904c3a600382a5f0b6c8153e8084244e2328cedac

mysql.txt

Change Mirror Download
Hi,

Below you find a security advisory i wrote concerning a vulnerability found in
all (known to me) mysql server versions, including the latest one.
As mysql is a widely used sql platform, i strongly advise everyone using it
to read it, and fix where appropriate.
This email has been bcc'd to the mysql bug list, and other appropriate parties.

Greets,
Robert van der Meulen/Emphyrio


.Introduction.

There exists a vulnerability in the password checking routines in the latest
versions of the MySQL server, that allows any user on a host that is allowed
to connect to the server, to skip password authentication, and access databases.
For the exploit to work, a valid username for the mysql server is needed, and
this username must have access to the database server, when connecting from
the attacking host.


.Vulnerable Systems.

All systems running 3.22.26a and up (tested).
Probably all systems running lower versions as well (not tested, not reviewed).
All versions are vulnerable on all platforms.


.A snippet of code from the mysql code, explaining password authentication **

>From mysql-3.22.26a/sql/password.c:
/* password checking routines */
/*****************************************************************************
The main idea is that no password are sent between client & server on
connection and that no password are saved in mysql in a decodable form.

On connection a random string is generated and sent to the client.
The client generates a new string with a random generator inited with
the hash values from the password and the sent string.
This 'check' string is sent to the server where it is compared with
a string generated from the stored hash_value of the password and the
random string.

<cut>
*****************************************************************************/


.More code, and vulnerability explanation.

The problem is, that in the comparison between the 'check' string, and the
string generated from the hash_value of the password and the random string,
the following code is used (from mysql-3.22.26a/sql/password.c):

while (*scrambled)
{
if (*scrambled++ != (char) (*to++ ^ extra))
return 1; /* Wrong password */
}

'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the
hash_value.
Suppose a client would send a _single_ character to the server as the 'check'
string.
Of course the server should notice the check string is not the same length as
the check string needed, and give a password error.
Because no such checks are done, when a check string of length 1 is passed to
the server, only one character is compared.
So the only thing that remains to know if we want to peek in someone's MySQL
database, is a technique to find out the first character of the server-side
check string.

The string that's used for the comparison is generated using some random data,
so two following authenticate-actions will probably use different check-strings.
After looking at the algorithm, generating the check string, it becomes clear
that there are actually only 32 possibilities for each character.

In practice, this means that if you connect, sending one single character as
the check string, you will be in in about 32 tries maximum.


.Impact.

Hosts in the access list (by default any host, on a lot of distributions and
servers) can connect to the MySQL server, without a password, and access
(often sensitive) data _as long as the attacker has a valid username for the
database server_.
This vulnerability also incorporates a MySQL DoS attack, as the attacker can
shutdown database servers and delete data, if she logs in with the MySQL
management account.


.Exploit information.

I have an exploit available, but to defer script kiddies i will not release
it (yet). Do not ask me for it.
If above explanation is understood, an exploit should be easy enough...


.Fix information.

Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a
length check, _before_ starting the compare.
This should be as easy as inserting the following just above the
while (*scrambled) loop:

if (strlen(scrambled)!=strlen(to)) {
return 1;
}

WARNING: This is NOT an official fix. You can use this as a temporary solution
to the problem.
Please check the official mysql site (www.mysql.org) for a fix.


.Commentary.

I think this exploit should not be a very scary thing to people that know
how to secure their servers.
In practice, there's almost never a need to allow the whole world to connect
to your SQL server, so that part of the deal should be taken care of.
As long as your MySQL ACL is secure, this problem doesn't really occur (unless
your database server doubles as a shell server).

We have also located several other security bugs in mysql server/client. These
bugs can only be exploited by users who have a valid username and password.
We will send these to the mysql maintainers, and hope they'll come
with a fix soon.

Yours,
Robert van der Meulen/Emphyrio (rvdm@cistron.nl)
Willem Pinckaers (dvorak@synnergy.net)


--

| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close