A simple but serious MySQL and MariaDB authentication bypass flaw has been revealed by MariaDB security coordinator Sergei Golubchik, and exploits targeting it have already been found in the wild.
“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256,” Golubchik explained.
An attacker who knows a correct username (usually the ubiquitous “root”) can easily connect using a random password by repeating connection attempts.
“~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” wrote Golubchik.
Metaisploit’s HD Moore says that, so far, 64-bit versions of Ubuntu Linux, OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases, while a number of Debian, Gentoo, CentOS and SuSE versions – as well as the official builds from MySQL and MariaDB – seem not to be affected.
“If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come,” he pointed out. “One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored ‘loot’ file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.”
He also added that one of the Metasploit contributors has committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, making it possible to access the database using the cracked password hashes even if the flaw is fixed.
He advised administrators not to expose MySQL servers to the network unnecessarily, and if it must be done, to implement host-based access control.