Jump to content

Νew MySQL security explotion


Recommended Posts

Exploits for a recently revealed MySQL authentication bypass flaw are now in the wild, partly because the flaw is remarkably simple to exploit in order to gain root access to the database. The only mitigating factor appears to be that it depends on the C library that the MySQL database was built with. The bypass, assigned the vulnerability ID CVE-2012-2122, allows an attacker to gain root access by repeatedly trying to login with an incorrect password. Each attempt has a 1 in 256 chance of being given access. The exploits are mostly variations of looping through connecting to MySQL with a bad password around 300 to 512 times.

The vulnerability, which was detailed in a posting by MariaDB security coordinator Sergei Golubchik, is due to a casting error when checking the results of comparing (with the memcmp function) the password given and the expected password. "Basically account password protection is as good as nonexistent", says Golubchik, adding "Any client will do, there's no need for a special libmysqlclient library". Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for memcmp. According to Golubchik the gcc built in memcmp and BSD libc memcmp are safe, but the linux glibc sse-optimised memcmp is not safe.

He also believes that official vendor builds of MySQL or MariaDB are not vulnerable, but that all versions, up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22, are potentially vulnerable. Oracle fixed the problem in MySQL, bug id 64884, with MySQL 5.1.63 and 5.5.24, both of which were released over a month ago. The applied fix is a single line change; a similar patch is available for MariaDB source. Linux vendors are expected to be providing fixed versions of their MySQL builds soon.

Calling the flaw "tragically comedic", security expert HD Moore has a posting in which he details where MySQL is vulnerable. So far, 64-bit versions of Ubuntu Linux (10.04, 10.10, 11.04, 11.10 and 12.04), OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases. Debian, RHEL, CentOS and Gentoo, among others, have been found not to be vulnerable. Moore reminds administrators that they should restrict network access to their MySQL databases to only systems that are secure and absolutely require it. Moore also noted that there was now a Metasploit module which used the vulnerability to retrieve all the server's passwords.

Πηγή: http://www.h-online.com/open/news/item/Simple-authentication-bypass-for-MySQL-root-revealed-1614990.htmlhttp://www.h-online.com/open/news/item/Simple-authentication-bypass-for-MySQL-root-revealed-1614990.html


Link to comment
Share on other sites


  • Create New...