mysql.txt

`Hi,  
  
Below you find a security advisory i wrote concerning a vulnerability found in  
all (known to me) mysql server versions, including the latest one.  
As mysql is a widely used sql platform, i strongly advise everyone using it  
to read it, and fix where appropriate.  
This email has been bcc'd to the mysql bug list, and other appropriate parties.  
  
Greets,  
Robert van der Meulen/Emphyrio  
  
  
.Introduction.  
  
There exists a vulnerability in the password checking routines in the latest  
versions of the MySQL server, that allows any user on a host that is allowed  
to connect to the server, to skip password authentication, and access databases.  
For the exploit to work, a valid username for the mysql server is needed, and  
this username must have access to the database server, when connecting from  
the attacking host.  
  
  
.Vulnerable Systems.  
  
All systems running 3.22.26a and up (tested).  
Probably all systems running lower versions as well (not tested, not reviewed).  
All versions are vulnerable on all platforms.  
  
  
.A snippet of code from the mysql code, explaining password authentication **  
  
>From mysql-3.22.26a/sql/password.c:  
/* password checking routines */  
/*****************************************************************************  
The main idea is that no password are sent between client & server on  
connection and that no password are saved in mysql in a decodable form.  
  
On connection a random string is generated and sent to the client.  
The client generates a new string with a random generator inited with  
the hash values from the password and the sent string.  
This 'check' string is sent to the server where it is compared with  
a string generated from the stored hash_value of the password and the  
random string.  
  
<cut>  
*****************************************************************************/  
  
  
.More code, and vulnerability explanation.  
  
The problem is, that in the comparison between the 'check' string, and the  
string generated from the hash_value of the password and the random string,  
the following code is used (from mysql-3.22.26a/sql/password.c):  
  
while (*scrambled)  
{  
if (*scrambled++ != (char) (*to++ ^ extra))  
return 1; /* Wrong password */  
}  
  
'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the  
hash_value.  
Suppose a client would send a _single_ character to the server as the 'check'  
string.  
Of course the server should notice the check string is not the same length as  
the check string needed, and give a password error.  
Because no such checks are done, when a check string of length 1 is passed to  
the server, only one character is compared.  
So the only thing that remains to know if we want to peek in someone's MySQL  
database, is a technique to find out the first character of the server-side  
check string.  
  
The string that's used for the comparison is generated using some random data,  
so two following authenticate-actions will probably use different check-strings.  
After looking at the algorithm, generating the check string, it becomes clear  
that there are actually only 32 possibilities for each character.  
  
In practice, this means that if you connect, sending one single character as  
the check string, you will be in in about 32 tries maximum.  
  
  
.Impact.  
  
Hosts in the access list (by default any host, on a lot of distributions and  
servers) can connect to the MySQL server, without a password, and access  
(often sensitive) data _as long as the attacker has a valid username for the  
database server_.  
This vulnerability also incorporates a MySQL DoS attack, as the attacker can  
shutdown database servers and delete data, if she logs in with the MySQL  
management account.  
  
  
.Exploit information.  
  
I have an exploit available, but to defer script kiddies i will not release  
it (yet). Do not ask me for it.  
If above explanation is understood, an exploit should be easy enough...  
  
  
.Fix information.  
  
Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a  
length check, _before_ starting the compare.  
This should be as easy as inserting the following just above the  
while (*scrambled) loop:  
  
if (strlen(scrambled)!=strlen(to)) {  
return 1;  
}  
  
WARNING: This is NOT an official fix. You can use this as a temporary solution  
to the problem.  
Please check the official mysql site (www.mysql.org) for a fix.  
  
  
.Commentary.  
  
I think this exploit should not be a very scary thing to people that know  
how to secure their servers.  
In practice, there's almost never a need to allow the whole world to connect  
to your SQL server, so that part of the deal should be taken care of.  
As long as your MySQL ACL is secure, this problem doesn't really occur (unless  
your database server doubles as a shell server).  
  
We have also located several other security bugs in mysql server/client. These  
bugs can only be exploited by users who have a valid username and password.  
We will send these to the mysql maintainers, and hope they'll come  
with a fix soon.  
  
Yours,  
Robert van der Meulen/Emphyrio ([email protected])  
Willem Pinckaers ([email protected])  
  
  
--  
  
| [email protected] - Cistron Internet Services - www.cistron.nl |  
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |  
| My statements are mine, and not necessarily cistron's. |  
  
  
`