Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Exploit Available for Trivial MySQL Password Bypass - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exploit Available for Trivial MySQL Password Bypass

Thanks to Jack for pointing this one out to us. I somehow missed this vulnerability this weekend.

MySQL fixed last week an authentication bypass vulnerability that is trivially exploitable [1]. The effect is that a user has a 1/256 chance of being granted access to MySQL even if the password is wrong. So in short: Brute forcing passwords will always work pretty quickly even if you got the wrong password.

The vulnerability does however depend on how your instance of MySQL was compiled. Chances are that you are not vulnerable, but just in case, there is a patch available, and it shouldn't be too hard to test. Write a script that attempts the same password many  times, and see if you get logged after a while. 

As an additional hardening measure, you may want to consider limiting access by IP address. 

[1] http://seclists.org/oss-sec/2012/q2/493

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3628 Posts
ISC Handler
Exploit code is
while true; do mysql -uroot -pasdf mysql; done
using a valid user

but it did not work on my debian 6 64bit systems, none of them.
Anonymous
yup. Usually I don't like to link to exploit code, or have exploit code in comments like yours. But in this case, "hiding exploit code" would be silly ;-)

Johannes

3628 Posts
ISC Handler
This page describes the problem / exploit pretty well, but basically a LOT of systems should be vulneable to this, and this gives MYSQL admin access - I'd expect to see widespread scanning.

http://thehackernews.com/2012/06/cve-2012-2122-serious-mysql.html

Dom
DomMcIntyreDeVitto

41 Posts
@Dom

You are not wrong, my IDS is already picking up a larger number of MySQL scans than usual...

It begins.
Yinette

12 Posts
@Dom

From vulnerability quote:

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.


Doesnt work, on any of the 6 mysqls servers I administer. (Debian, Ubuntu server, CentOS)
Yinette
2 Posts

Sign Up for Free or Log In to start participating in the conversation!