Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Security Advisory: Remote access vulnerability in all MySQL server versions

Feb 09, 2000, 06:40 (3 Talkback[s])
(Other stories by Robert Van Der Meulen)

Date: Tue, 8 Feb 2000 20:03:32 +0100
From: Robert van der Meulen rvdm@CISTRON.NL
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Remote access vulnerability in all MySQL server versions

Hi,

Below you find a security advisory i wrote concerning a vulnerability found in all (known to me) mysql server versions, including the latest one. As mysql is a widely used sql platform, i strongly advise everyone using it to read it, and fix where appropriate. This email has been bcc'd to the mysql bug list, and other appropriate parties.

Greets, Robert van der Meulen/Emphyrio

.Introduction.

There exists a vulnerability in the password checking routines in the latest versions of the MySQL server, that allows any user on a host that is allowed to connect to the server, to skip password authentication, and access databases. For the exploit to work, a valid username for the mysql server is needed, and this username must have access to the database server, when connecting from the attacking host.

.Vulnerable Systems.

All systems running 3.22.26a and up (tested). Probably all systems running lower versions as well (not tested, not reviewed). All versions are vulnerable on all platforms.

.A snippet of code from the mysql code, explaining password authentication **

>From mysql-3.22.26a/sql/password.c:
/* password checking routines */
/*****************************************************************************
  The main idea is that no password are sent between client & server on
  connection and that no password are saved in mysql in a decodable form.

  On connection a random string is generated and sent to the client.
  The client generates a new string with a random generator inited with
  the hash values from the password and the sent string.
  This 'check' string is sent to the server where it is compared with
  a string generated from the stored hash_value of the password and the
  random string.


*****************************************************************************/

.More code, and vulnerability explanation.

The problem is, that in the comparison between the 'check' string, and the string generated from the hash_value of the password and the random string, the following code is used (from mysql-3.22.26a/sql/password.c):

  while (*scrambled)
  {
    if (*scrambled++ != (char) (*to++ ^ extra))
      return 1;                                 /* Wrong password */
  }

'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the hash_value.

Suppose a client would send a _single_ character to the server as the 'check' string. Of course the server should notice the check string is not the same length as the check string needed, and give a password error. Because no such checks are done, when a check string of length 1 is passed to the server, only one character is compared. So the only thing that remains to know if we want to peek in someone's MySQL database, is a technique to find out the first character of the server-side check string.

The string that's used for the comparison is generated using some random data, so two following authenticate-actions will probably use different check-strings. After looking at the algorithm, generating the check string, it becomes clear that there are actually only 32 possibilities for each character.

In practice, this means that if you connect, sending one single character as the check string, you will be in in about 32 tries maximum.

.Impact.

Hosts in the access list (by default any host, on a lot of distributions and servers) can connect to the MySQL server, without a password, and access (often sensitive) data _as long as the attacker has a valid username for the database server_. This vulnerability also incorporates a MySQL DoS attack, as the attacker can shutdown database servers and delete data, if she logs in with the MySQL management account.

.Exploit information.

I have an exploit available, but to defer script kiddies i will not release it (yet). Do not ask me for it.

If above explanation is understood, an exploit should be easy enough...

.Fix information.

Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a length check, _before_ starting the compare. This should be as easy as inserting the following just above the while (*scrambled) loop:

if (strlen(scrambled)!=strlen(to)) {
        return 1;
}

WARNING: This is NOT an official fix. You can use this as a temporary solution to the problem. Please check the official mysql site (www.mysql.org) for a fix.

.Commentary.

I think this exploit should not be a very scary thing to people that know how to secure their servers. In practice, there's almost never a need to allow the whole world to connect to your SQL server, so that part of the deal should be taken care of.

As long as your MySQL ACL is secure, this problem doesn't really occur (unless your database server doubles as a shell server).

We have also located several other security bugs in mysql server/client. These bugs can only be exploited by users who have a valid username and password. We will send these to the mysql maintainers, and hope they'll come with a fix soon.

Yours,
Robert van der Meulen/Emphyrio (rvdm@cistron.nl)
Willem Pinckaers (dvorak@synnergy.net)