MariaDB and MySQL Authentication Bypass Exploit 73
JohnBert writes "A security bug in MariaDB and MySQL has been revealed, allowing a known username and password to access the master user table of a MySQL server and dump it into a locally-stored file. By using a tool like John the Ripper, this file can be easily cracked to reveal text passwords that can provide further access. By committing a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, you can access the database using the cracked password hashes even if the authentication bypass vulnerability is fixed."
holy motherfucking cheetah (Score:5, Insightful)
"An attacker who knows a correct username (usually the ubiquitous "root") can easily connect using a random password by repeating connection attempts.
"~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," wrote Golubchik."
I guess the db shouldn't answer to any requests outside from known address space.. but still..
Re:holy motherfucking cheetah (Score:5, Insightful)
And that is why we use fail2ban.
Re: (Score:2)
And that is why we use fail2ban.
well, you'd still only need ~300 ip's to launch the attack from.
with those odds, I'm thinking that many people who have bruteforced have thought themselfs as extremely lucky when they werent..
Re: (Score:2)
And that is why we use fail2ban.
well, you'd still only need ~300 ip's to launch the attack from.
with those odds, I'm thinking that many people who have bruteforced have thought themselfs as extremely lucky when they werent..
That's ~300 IP's per fraction of a second.
Good luck with that.
Re: (Score:1)
That's ~300 IP's per fraction of a second.
Good luck with that.
Can you say "botnet". Hmm.. I wonder who would benefit from being able to get a few thousands of extra hosts. Most of the big ones would probably never even need to use the same IP range more than twice.
Re: (Score:2)
That's ~300 IP's per fraction of a second.
Good luck with that.
You only need ~256 login attempts to get in. So, yes, you'd only need ~256 IP's to have a 63% chance of gaining root access (1-(255/256)**256).
Re:holy motherfucking cheetah (Score:5, Informative)
They say you can get in by making 300 connection attempts, which can be done within a fraction of a second. Which is true.
They don't say that you have to do it within a fraction of a second.
The memcmp function has a 1/256 chance of returning the required value that makes it treat any password as the correct password - there's no link between the connection attempts, each time you try to connect you have the same 1/256 chance. You could space the attempts out over seveal minutes, hours or days if you wanted to - it'd just slow down the time it'd take you to get in (and make it more likely they've patched their systems before you get in).
Practically, this is slightly less newsworthy than it sounds. Yes the bug exists and yes it's serious, but it also depends on which memcmp version you're using on whether you're actually affected. The gcc builtin ones aren't affected or the libc ones, the glibc one is. That means whether it's exploitable depends on how your server was compiled. And it appears that the official versions from mysql.com aren't affected, and testing my debian systems today neither are they (but they're nicely firewalled anyway, just in case). Source: http://seclists.org/oss-sec/2012/q2/493 [seclists.org]
Comment removed (Score:5, Informative)
Re: (Score:2)
Wow. If I hadn't seen that, I would not have believed it. What a jerk!
Re: (Score:2)
Re: (Score:1)
You can rent or purchase 3,000 bots for like $10 on the internet.
If you are a Russian Mobfia guy who can be profitable with just a few hundred credit card numbers this is a no brainer. You can make millions and only hire some russian CS student for a few hundred dollars to use the bot net to launch 300 ip's and viola! Instant millions.
This is pretty serious and the profit potential is too large to ignore.
Putting an authentication server/proxy between the internet and the database is an excellent line of def
Re: (Score:3)
Re: (Score:3)
a 1/256 chance of getting in when using a valid username and invalid email? I don't like those odds.
Email? WTF? That should be password.
FUD? (Score:3)
Sounds like it is only in a small subset of versions. From the source article...
"Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built. A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
As far as I know, official vendor MySQL and MariaDB binaries are not vulnerable."
Re: (Score:1)
I guess the db shouldn't answer to any requests outside from known address space.. but still..
There is something called "shared web hosting".
Re: (Score:2)
I guess the db shouldn't answer to any requests outside from known address space.. but still..
There is something called "shared web hosting".
well, shared hosting is for bitches.
did a first post, titled it "holy motherfucking cheetah" and got +5. I think I'll make that into my new sig
Re: (Score:2)
Could have told us what it is (Score:5, Informative)
Basically the password comparison routine uses a bad assumption about memcmp. This assumption fails with a probability of about 1 in 256 on some systems. You just use any random password, try a couple hundred times to log in and eventually it works. Yes, it is that bad.
Re: (Score:2)
If it's so trivial and easy to find that a ten year old could have found it after 15 minutes of penetration testing...how long did it take you? Oh, you had no clue until just now? Well, blow me down...
Yes, because we should all spend our spare time trying to break random pieces of software.
Re: (Score:2)
In this particular case, it doesn't even need penetration testing. An implicit cast from int to char is something that any C compiler worth its salt will balk at you with default settings (and any developer worth his salt will go even further and compile with warnings as errors). These guys must have explicitly disabled that compiler warning instead. Now they know why it was a bad idea.
Re: (Score:3)
Really, though, penetration testing could have uncovered the bug. Most pentesting I've been through has included simple brute-force attacks with the 1000 or so most common passwords. That should easily have succeeded. The report should have said, "We found MySQL open with the username 'root' and the password 'p@ssw0rd'." And someone would read that report and say, "Hey, that's not our password!" And that moment of uncertainty should have provided all the impetus needed to find the vulnerability.
Re: (Score:2)
Do you know how many years that MySQL accepted February 31st as a valid date? Come on, they aren't going to spend time doing pen testing when they have known hard bugs like that to spend years fixing!
Re: (Score:2)
That's pretty funny.
But actually, I was referring to users of MySQL being penetrated by consulting firms as part of a standard security audit.
Re: (Score:2)
Ohhh, gotcha. I didn' t think that would be an issue. Most folks that care about their data don't keep it MySQL.
Re: (Score:2)
And that moment of uncertainty should have provided all the impetus needed to find the vulnerability.
You under-estimate the strength of a SEP field.
Re: (Score:2)
this sounds like something a ten-year-old would have found after fifteen minutes of penetration testing.
What stopped them finding it is it depends on what memcmp version is being used. GCC builtin ones aren't affected, neither are BSD libc. glibc's is though. Which you use all depends on how it was compiled and it appears the official vendor ones from mysql.com aren't affected. My own systems also aren't, which appears to be because they're using the GCC builtin version.
Penetration testing'll only find it on the affected versions, if the official mysql.com versions aren't affected then their testing wouldn't
Re: (Score:2)
Any idea what that assumption is? The article says typecast error, but what the hell would you cast a signed int to that would be zero when the signed int was nonzero? Even if you cast it to unsigned, you'd still have a nonzero number for negative values.
Re: (Score:1)
Re:Could have told us what it is (Score:4, Informative)
Yes, it's exactly that. They assumed memcmp returned a value in the range -128..127 - so they've assumed a char was sufficient. And many implementations do indeed return that, but unfortunately not all.
http://seclists.org/oss-sec/2012/q2/493 [seclists.org]:
Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.
Re: (Score:2)
Wow.
Suddenly, the decision to have an explicit 'bool' type in newer languages makes a lot more sense!
Re: (Score:3)
No. memcmp() is designed to be used by sort functions. IIRC: It's supposed to return:
0: identical
+ve: string 2 > string 1
-ve: string 1 > string 2
'bool' doesn't cut it. But yes, their comparison was bogus.
Re:Could have told us what it is (Score:5, Insightful)
They are casting the result of int strcmp to my_bool, which they have defined as typedef char my_bool.
Since int is bigger than char, you have really lots of ints than can be 0 when casted to char.
Re: (Score:1)
Wow, shouldn't there be compiler warning for this?
Re:Could have told us what it is (Score:5, Interesting)
Well, let's explain it right: the compare function uses a variable type cast that paired with certain compiler flags will improperly reduce a larger number storage to an 8 bit interger. memcmp returns 0 when there's a match, any other value otherwise. When some larger number is interpreted as a character and that number is mod(256), then you get a zero when you truncate the leading numbers.
Since the hashing function in MySQL has some variable used every time, you get a different number every time that returns a mismatch. 1 in 256 of those mismatches gets reduced to a number that is represented by a zero... which is appropriate to the cast function, but causes issues when used with memcmp.
Re: (Score:2)
1 in 256 attempts? Seems about right when I can't remember my banking password.
Like it matters! (Score:2)
Most applications that use MySQL that I've seen decided to use imbeded hard coded usernames and passwords (usually for the SA user) so there was no security anyway. The few solutions I've seen that actually used unique usernames and passwords and not SA, usually used an external authentication method so the database didn't have any passwords to expose.
Finding out about this now doesn't scare me all that much. If you had used a good security design and practice, there should be limited exposure of usernames
Re: (Score:1)
Doesn't Firefox keep a great deal of user data (history, bookmarks, tags, page metadata etc) in MySQL? Couldn't some of these problems potentially affect a huge number of people as a result by extending what might easily be accessed through browser/plugin vulnerabilities and JS features?
Re:Like it matters! (Score:5, Informative)
Firefox uses SQLite, which implements a database management system in a single file. It's not something anyone can connect to remotely.
Bad article summary (Score:1)
Summary is making it look a LOT worse than it is.
- Bug's already been fixed, only what it did was revealed now.
- Bug does not affect binary distributions from mysql.com, Windows included.
- Bug only affects some distros.
Full description here: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
Re: (Score:1)
- Bug only affects some distros.
So far, the following systems have been confirmed as vulnerable:
Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc )
OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc )
Debian Unstable 64-bit 5.5.23-2 ( via @derickr )
Fedora ( via hexed and confirmed by Red Hat )
Arch Linux (unspecified version)
Feedback so far indicates the following platforms are NOT vulnerable:
Official builds from MySQL and MariaDB (including Windows)
Red Hat Enterprise Linux 4, 5, and 6 (
Re: (Score:2)
Summary is making it look a LOT worse than it is.
- Bug's already been fixed, only what it did was revealed now.
- Bug does not affect binary distributions from mysql.com, Windows included.
- Bug only affects some distros.
Full description here: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql [rapid7.com]
They claim ubuntu 10.04 64 bit is vulnerable. That's my laptop distro, and after 5,000 attempts I can't break in.
The linked memcmp program at http://pastie.org/4064638 [pastie.org] indeed says I'm vulnerable, so why can't I break in?
How accurate is that vulnerable list (Score:1)
Re: (Score:1)
Re: (Score:2)
Yup, when somebody emailed me this news in a panic I checked and the bug was fixed on Gentoo over a month ago, though if you were on itanic or sparc you got it a bit late (still a week or two ago). The article only refers to 64-bit Gentoo, but as far as I can tell it should be fixed on all the security-supported archs (and likely on the non-security ones by now also).
Didn't anyone learn from the Wii? (Score:2)
Sounds like the bug on the Wii.
There was a bug on the Wii where it used string comparison functions to compare signatures, instead of memory comparison functions. So it terminated at the first null character. So you could fakesign anything easily after 256 tries.
From what little information is on that page, it sounds like the exact same problem.
Re: (Score:3)
No, this is a different problem. This one is about casting the value returned by memcmp to char (it returns an int). On most systems, int is 32-bit, char is 8-bit, and such a cast is basically equivalent to taking the low 8 bits of the int. So when memcmp returns a non-zero value (meaning "not equal"), which has the lower 8 bits of the int all set to zero, they get zero when they cast it to char, and then interpret that as "equal".
It doesn't affect RHEL or Centos (Score:1)
RHEL and Centos are not affected by this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2122 [redhat.com]
http://lists.centos.org/pipermail/centos/2012-June/126719.html [centos.org]
It appears to me that... (Score:2)
... the attacks must have access to the DB first.
If my daemons are firewalled, my MariaDB server only accepts requests from 127.0.0.1 and my authentication code lives out of the httpdocs filesystem (PHP *don't have* to run every script from the httpdocs filesystem!), I don't see how the attacker could try this on my machine without rooting it first.
In this case, the MariaBD passwords are the least of my worries.
Or I'm wrong?
Another reason (Score:2)
To avoid having your db serve live web content without an authentication server in between. It costs more money and most companies staring out use an ISP with a single server with everything but that increases your chances of being hacked exponentially.
"...official MySQL binaries aren't vulnerable" (Score:1)
Lookout for that molehill! Yes, some versions are vulnerable, and everyone is having a hissy fit about this. I've tested every single copy of various versions of MySQL that I have running, and they are not vulnerable. And I'm running MySQL on Windows, Arch, RHEL, Ubuntu and CentOS.