[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] mysql password cracking

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] mysql password cracking
From: Chris Anley <chris@xxxxxxxxxxxxxxx>
Date: Mon, 11 Oct 2004 09:15:01 +0100

Hey David,

Re: allowing users to see other user's hashes - it's dangerous; don't do it if you don't have to.

To precis what's in the paper (which I wrote btw), there's a few interesting points about mysql password hashes:

1) In versions prior to 4.1, the password hash can be used to authenticate directly with the database, so you don't need to crack it. In other words, knowledge of the *hash* is what the authentication protocol tests, not knowledge of the password. Admittedly you'd need to modify your mysql client to authenticate this way but that's not too hard.

2) In versions 4.1 or better (which are still Beta) MySQL uses SHA1 to hash the passwords, so the situation is a little better. You can still crack sha1 password hashes fairly easily though, depending on the password complexity and length. The hashing algorithm is to sha1 hash the password, then sha1 hash the resulting hash, in other words sha1(sha1(password)). Of course, if you're using 4.1 or better you're using beta software, against MySQL AB's recommendation.

3) If you use 4.1 ensure it's at least 4.1.3, because of the authentication bug detailed in the paper which (briefly) lets any user authenticate without needing to know the password.

If for some reason you have to have an untrusted user viewing another user's grants, you could do it safely a number of ways (assuming version 4.0.x):

a) Write a UDF to do it (probably the best solution) b) Write a batch script that periodically does the 'show grants', strips the password hashes out and then inserts the data into a table your user can see. Of course, the data won't be current, but that might be ok and you don't need to mess about with dangerous privs. c) Grant the user select privilege (only) on mysql.db, mysql.host, tables_priv, user_priv and every column of 'mysql.user' apart from 'password', and 'select' their privs out manually. This may be dangerous, so be careful.

Hope that helps... :o)

-chris.

Willem Koenings wrote:

hi,

I'm wondering how dangerous it is to allow a user on a mysql db to view the grants for another user. Could they take the encrypted password data and possibly crack it? If they can, how easy is it?
on certain condition it's quite easy, if you have
a hash:
test.exe 57510426775c5b0f
Hash: 57510426775c5b0f
Trying length 3
Trying length 4
Trying length 5
Found pass: guest
some reading for you:

http://www.ngssoftware.com/papers/HackproofingMySQL.pdf

all the best,

W.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] mysql password cracking
  - From: Willem Koenings

Prev by Date: [Full-Disclosure] MonkeyShell: using XML-RPC for access to a remote shell
Next by Date: Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.
Previous by thread: Re: [Full-Disclosure] mysql password cracking
Next by thread: [Full-Disclosure] Limited \secure\ buffer-overflow in some old Monolith games
Index(es):
- Date
- Thread