Trivial Password Flaw Leaves MySQL Databases Exposed

There is a trivially exploitable vulnerability in MySQL that enables an attacker to gain root access to the database server. The bug, which recently was patched, stems from an error in the way that MySQL and MariaDB handle passwords, giving an attacker a chance of getting root access by supplying any password to an affected server.

The bug was disclosed over the weekend and there is already exploit code available for it in the form of a Metasploit module. Security researchers say that the vulnerability is easily exploitable and that it could be useful for attackers for some time to come.

The security advisory on the MySQL CVE-2012-2122 vulnerability says that the database can be compromised by a remote attacker with little time and effort.

“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using any password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” the advisory says.

There is a fix available for the vulnerability and several Linux distributions that include versions of the affected databases already have pushed out patches for it. HD Moore, creator of Metasploit, said that the MySQL flaw is a serious problem and should not be taken lightly.

“If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come. One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored “loot” file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access,” Moore said in a blog post.

“This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes.”