Forgot your password?
typodupeerror
Network Security IT

MariaDB and MySQL Authentication Bypass Exploit 73

Posted by samzenpus
from the protect-ya-neck dept.
JohnBert writes "A security bug in MariaDB and MySQL has been revealed, allowing a known username and password to access the master user table of a MySQL server and dump it into a locally-stored file. By using a tool like John the Ripper, this file can be easily cracked to reveal text passwords that can provide further access. By committing a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, you can access the database using the cracked password hashes even if the authentication bypass vulnerability is fixed."
This discussion has been archived. No new comments can be posted.

MariaDB and MySQL Authentication Bypass Exploit

Comments Filter:
  • by gl4ss (559668) on Monday June 11, 2012 @12:23PM (#40285867) Homepage Journal

    "An attacker who knows a correct username (usually the ubiquitous "root") can easily connect using a random password by repeating connection attempts.

    "~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," wrote Golubchik."

    I guess the db shouldn't answer to any requests outside from known address space.. but still..

    • by Anonymous Coward on Monday June 11, 2012 @12:28PM (#40285951)

      And that is why we use fail2ban.

      • by gl4ss (559668)

        And that is why we use fail2ban.

        well, you'd still only need ~300 ip's to launch the attack from.

        with those odds, I'm thinking that many people who have bruteforced have thought themselfs as extremely lucky when they werent..

        • by ArcherB (796902)

          And that is why we use fail2ban.

          well, you'd still only need ~300 ip's to launch the attack from.

          with those odds, I'm thinking that many people who have bruteforced have thought themselfs as extremely lucky when they werent..

          That's ~300 IP's per fraction of a second.

          Good luck with that.

          • That's ~300 IP's per fraction of a second.

            Good luck with that.

            Can you say "botnet". Hmm.. I wonder who would benefit from being able to get a few thousands of extra hosts. Most of the big ones would probably never even need to use the same IP range more than twice.

          • by joostje (126457)

            That's ~300 IP's per fraction of a second.

            Good luck with that.

            You only need ~256 login attempts to get in. So, yes, you'd only need ~256 IP's to have a 63% chance of gaining root access (1-(255/256)**256).

          • by SteveAyre (209812) on Monday June 11, 2012 @01:25PM (#40286705)

            They say you can get in by making 300 connection attempts, which can be done within a fraction of a second. Which is true.

            They don't say that you have to do it within a fraction of a second.

            The memcmp function has a 1/256 chance of returning the required value that makes it treat any password as the correct password - there's no link between the connection attempts, each time you try to connect you have the same 1/256 chance. You could space the attempts out over seveal minutes, hours or days if you wanted to - it'd just slow down the time it'd take you to get in (and make it more likely they've patched their systems before you get in).

            Practically, this is slightly less newsworthy than it sounds. Yes the bug exists and yes it's serious, but it also depends on which memcmp version you're using on whether you're actually affected. The gcc builtin ones aren't affected or the libc ones, the glibc one is. That means whether it's exploitable depends on how your server was compiled. And it appears that the official versions from mysql.com aren't affected, and testing my debian systems today neither are they (but they're nicely firewalled anyway, just in case). Source: http://seclists.org/oss-sec/2012/q2/493 [seclists.org]

        • You can rent or purchase 3,000 bots for like $10 on the internet.

          If you are a Russian Mobfia guy who can be profitable with just a few hundred credit card numbers this is a no brainer. You can make millions and only hire some russian CS student for a few hundred dollars to use the bot net to launch 300 ip's and viola! Instant millions.

          This is pretty serious and the profit potential is too large to ignore.

          Putting an authentication server/proxy between the internet and the database is an excellent line of def

    • a 1/256 chance of getting in when using a valid username and invalid email? I don't like those odds.
      • a 1/256 chance of getting in when using a valid username and invalid email? I don't like those odds.

        Email? WTF? That should be password.

    • by t4ng* (1092951)

      Sounds like it is only in a small subset of versions. From the source article...

      "Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built. A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.

      As far as I know, official vendor MySQL and MariaDB binaries are not vulnerable."

    • by leonbloy (812294)

      I guess the db shouldn't answer to any requests outside from known address space.. but still..

      There is something called "shared web hosting".

      • by gl4ss (559668)

        I guess the db shouldn't answer to any requests outside from known address space.. but still..

        There is something called "shared web hosting".

        well, shared hosting is for bitches.

        did a first post, titled it "holy motherfucking cheetah" and got +5. I think I'll make that into my new sig

  • by Anonymous Coward on Monday June 11, 2012 @12:25PM (#40285897)

    Basically the password comparison routine uses a bad assumption about memcmp. This assumption fails with a probability of about 1 in 256 on some systems. You just use any random password, try a couple hundred times to log in and eventually it works. Yes, it is that bad.

    • by Qzukk (229616)

      Any idea what that assumption is? The article says typecast error, but what the hell would you cast a signed int to that would be zero when the signed int was nonzero? Even if you cast it to unsigned, you'd still have a nonzero number for negative values.

      • by Kunnis (756642)
        Since the article said the odds of hitting the bug were roughly 1:256, my guess is a programmer casted the return value from memcmp to a char instead of an int.
        • by SteveAyre (209812) on Monday June 11, 2012 @01:33PM (#40286809)

          Yes, it's exactly that. They assumed memcmp returned a value in the range -128..127 - so they've assumed a char was sufficient. And many implementations do indeed return that, but unfortunately not all.

          http://seclists.org/oss-sec/2012/q2/493 [seclists.org]:

          Whether a particular build of MySQL or MariaDB is vulnerable, depends on
          how and where it was built. A prerequisite is a memcmp() that can return
          an arbitrary integer (outside of -128..127 range). To my knowledge gcc
          builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
          sse-optimized memcmp is not safe, but gcc usually uses the inlined
          builtin version.

          • by bertok (226922)

            Wow.

            Suddenly, the decision to have an explicit 'bool' type in newer languages makes a lot more sense!

            • by adri (173121)

              No. memcmp() is designed to be used by sort functions. IIRC: It's supposed to return:

              0: identical
              +ve: string 2 > string 1
              -ve: string 1 > string 2

              'bool' doesn't cut it. But yes, their comparison was bogus.

      • by Anonymous Coward on Monday June 11, 2012 @12:45PM (#40286151)

        They are casting the result of int strcmp to my_bool, which they have defined as typedef char my_bool.

        Since int is bigger than char, you have really lots of ints than can be 0 when casted to char.

    • Well, let's explain it right: the compare function uses a variable type cast that paired with certain compiler flags will improperly reduce a larger number storage to an 8 bit interger. memcmp returns 0 when there's a match, any other value otherwise. When some larger number is interpreted as a character and that number is mod(256), then you get a zero when you truncate the leading numbers.

      Since the hashing function in MySQL has some variable used every time, you get a different number every time that returns a mismatch. 1 in 256 of those mismatches gets reduced to a number that is represented by a zero... which is appropriate to the cast function, but causes issues when used with memcmp.

    • by Narnie (1349029)

      1 in 256 attempts? Seems about right when I can't remember my banking password.

  • Most applications that use MySQL that I've seen decided to use imbeded hard coded usernames and passwords (usually for the SA user) so there was no security anyway. The few solutions I've seen that actually used unique usernames and passwords and not SA, usually used an external authentication method so the database didn't have any passwords to expose.

    Finding out about this now doesn't scare me all that much. If you had used a good security design and practice, there should be limited exposure of usernames

    • by camperslo (704715)

      Doesn't Firefox keep a great deal of user data (history, bookmarks, tags, page metadata etc) in MySQL? Couldn't some of these problems potentially affect a huge number of people as a result by extending what might easily be accessed through browser/plugin vulnerabilities and JS features?

  • by Anonymous Coward

    Summary is making it look a LOT worse than it is.

    - Bug's already been fixed, only what it did was revealed now.
    - Bug does not affect binary distributions from mysql.com, Windows included.
    - Bug only affects some distros.

    Full description here: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

    • by Anonymous Coward

      - Bug only affects some distros.

      So far, the following systems have been confirmed as vulnerable:
      Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc )
      OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc )
      Debian Unstable 64-bit 5.5.23-2 ( via @derickr )
      Fedora ( via hexed and confirmed by Red Hat )
      Arch Linux (unspecified version)


      Feedback so far indicates the following platforms are NOT vulnerable:
      Official builds from MySQL and MariaDB (including Windows)
      Red Hat Enterprise Linux 4, 5, and 6 (

    • by isorox (205688)

      Summary is making it look a LOT worse than it is.

      - Bug's already been fixed, only what it did was revealed now.
      - Bug does not affect binary distributions from mysql.com, Windows included.
      - Bug only affects some distros.

      Full description here: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql [rapid7.com]

      They claim ubuntu 10.04 64 bit is vulnerable. That's my laptop distro, and after 5,000 attempts I can't break in.

      The linked memcmp program at http://pastie.org/4064638 [pastie.org] indeed says I'm vulnerable, so why can't I break in?

  • The author of the article mention a couple of distributions found vulnerable to this bug. In one of them is Arch Linux. But he also said that systems with versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. Then... How the heck can Arch (a rolling release distribution) be affected if they have an updated version of the package already in place, lol. The article is dated June 11, Arch fixed upstream release was committed May 13. So it has been already fixed for nearly 2 months.... wow https [archlinux.org]
    • by tuxrulz (853366)
      My bad, the update was not committed May 13, was April 13. so yes, nearly 2 months.
      • by Rich0 (548339)

        Yup, when somebody emailed me this news in a panic I checked and the bug was fixed on Gentoo over a month ago, though if you were on itanic or sparc you got it a bit late (still a week or two ago). The article only refers to 64-bit Gentoo, but as far as I can tell it should be fixed on all the security-supported archs (and likely on the non-security ones by now also).

  • Sounds like the bug on the Wii.
    There was a bug on the Wii where it used string comparison functions to compare signatures, instead of memory comparison functions. So it terminated at the first null character. So you could fakesign anything easily after 256 tries.
    From what little information is on that page, it sounds like the exact same problem.

    • No, this is a different problem. This one is about casting the value returned by memcmp to char (it returns an int). On most systems, int is 32-bit, char is 8-bit, and such a cast is basically equivalent to taking the low 8 bits of the int. So when memcmp returns a non-zero value (meaning "not equal"), which has the lower 8 bits of the int all set to zero, they get zero when they cast it to char, and then interpret that as "equal".

  • ... the attacks must have access to the DB first.

    If my daemons are firewalled, my MariaDB server only accepts requests from 127.0.0.1 and my authentication code lives out of the httpdocs filesystem (PHP *don't have* to run every script from the httpdocs filesystem!), I don't see how the attacker could try this on my machine without rooting it first.

    In this case, the MariaBD passwords are the least of my worries.

    Or I'm wrong?

  • To avoid having your db serve live web content without an authentication server in between. It costs more money and most companies staring out use an ISP with a single server with everything but that increases your chances of being hacked exponentially.

  • http://seclists.org/oss-sec/2012/q2/493 [seclists.org]

    Lookout for that molehill! Yes, some versions are vulnerable, and everyone is having a hissy fit about this. I've tested every single copy of various versions of MySQL that I have running, and they are not vulnerable. And I'm running MySQL on Windows, Arch, RHEL, Ubuntu and CentOS.

Optimization hinders evolution.

Working...