Major Flaw in MySQL and MariaDB

Major Flaw in MySQL and MariaDB that bypasses the authentication and the guy who discovered it + Extras June 11, 2012 It’s all over the news and tweets now in the #Infosec World! A major security flaw in MySQL and MariaDB has been found by Sergei Golubchik (Date: Sat, 9 Jun 2012 17:30:38 +0200). In the oss-sec mailing list, he said that: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. This issue got assigned an id CVE-2012-2122. Here’s the issue. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there’s no need for a special libmysqlclient library. /* More info on seclists.org */ Thus, if an attacker guesses the correct username (example: “root”), he can easily connect to the mysql server by using a random password by repeating connection attempts. This issue got assigned an id CVE-2012-2122. But the good thing here is that it’s only applicable to versions 5.1.61, 5.2.11, 5.3.5, 5.5.22. The versions 5.1.62, 5.2.12, 5.3.6, 5.5.23 fro MariaDB and versions 5.1.63, 5.5.24, 5.6.6 are not vulnerable to his discovery. But who is Sergei Golubchik? Sergei Golubchik Well, for those of you who don’t know Sergei Golubchik then today is your lucky day (If you are reading this)! He is the MariaDB Security Coordinator, primary architect of the MySQL/MariaDB plugin API and the author of the “MySQL 5.1 Plugin Development” book. He has been modifying MySQL source code since 1998 and has continued doing it as a MySQL AB employee since 2000. Cool !!!! The Infosec World is proud of you Sir Sergei Golubchik. A few days later, HD Moore of Metasploit posted a report in their website (Jun 11, 2012 12:51:25 AM) about a one-liner in bash that will provide access to an affected MySQL server as the root user account, without actually knowing the password: $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql> He also reported about the Linux distributions that were affected based on the reports of other users and researchers. Then, Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. The metasploit module for the said exploit is auxiliary/scanner/mysql/mysql_authbypass_hashdump: mysql_authbypass_hashdump So what are you waiting for? Check your mysql server version and use the module mysql_authbypass_hashdump to rape it. If it is vulnerable then update it! Check the references below to get some more information about this serious bug. :) Also, Joshua Drake provided a sample application which he called CVE-2012-2122 checker to determine if your system is vulnerable or affected. CVE-2012-2122 checker References: http://seclists.org/oss-sec/2012/q2/493 http://en.oreilly.com/mysql2011/public/schedule/speaker/639 http://www.net-security.org/secworld.php?id=13076 https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql Tags: #Infosec World, auxiliary/scanner/mysql/mysql_authbypass_hashdump, CVE-2012-2122, database pawning, HD Moore, Jonathan Cran, Joshua Drake, MariaDB, memcmp, Metasploit contributor, MySQL, mysql -u root --password, MySQL 5.1 Plugin Development, mysql_authbypass_hashdump, mysql_hashdump module, oss-sec mailing list, Pwnie Express, seclists.org, Sergei Golubchik | Categories: Blog Jay Turla Jay Turla is a Filipino security researcher, programming student, infosec enthusiast, open source advocate, and the blog manager of PenTest Laboratory. He is interested in Linux, OpenVMS, penetration testing and vulnerability assessment. He is one of the core team members of The ProjectX Blog and one of the bloggers and goons of ROOTCON (Philippine Hackers Conference).You can follow his tweets @shipcod3.