Exploit Available for Trivial MySQL Password Bypass
Thanks to Jack for pointing this one out to us. I somehow missed this vulnerability this weekend.
MySQL fixed last week an authentication bypass vulnerability that is trivially exploitable [1]. The effect is that a user has a 1/256 chance of being granted access to MySQL even if the password is wrong. So in short: Brute forcing passwords will always work pretty quickly even if you got the wrong password.
The vulnerability does however depend on how your instance of MySQL was compiled. Chances are that you are not vulnerable, but just in case, there is a patch available, and it shouldn't be too hard to test. Write a script that attempts the same password many times, and see if you get logged after a while.
As an additional hardening measure, you may want to consider limiting access by IP address.
[1] http://seclists.org/oss-sec/2012/q2/493
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
while true; do mysql -uroot -pasdf mysql; done
using a valid user
but it did not work on my debian 6 64bit systems, none of them.
alex
Jun 11th 2012
1 decade ago
jullrich@sans.edu
Jun 11th 2012
1 decade ago
http://thehackernews.com/2012/06/cve-2012-2122-serious-mysql.html
Dom
Dom De Vitto
Jun 11th 2012
1 decade ago
You are not wrong, my IDS is already picking up a larger number of MySQL scans than usual...
It begins.
YinIzanami
Jun 12th 2012
1 decade ago
From vulnerability quote:
Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.
Doesnt work, on any of the 6 mysqls servers I administer. (Debian, Ubuntu server, CentOS)
LukaM
Jun 12th 2012
1 decade ago