MariaDB and MySQL Authentication Bypass Exploit

JohnBert writes "A security bug in MariaDB and MySQL has been revealed, allowing a known username and password to access the master user table of a MySQL server and dump it into a locally-stored file. By using a tool like John the Ripper, this file can be easily cracked to reveal text passwords that can provide further access. By committing a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, you can access the database using the cracked password hashes even if the authentication bypass vulnerability is fixed."

Could have told us what it is

Basically the password comparison routine uses a bad assumption about memcmp. This assumption fails with a probability of about 1 in 256 on some systems. You just use any random password, try a couple hundred times to log in and eventually it works. Yes, it is that bad.

Re:Could have told us what it is

[SteveAyre]

Yes, it's exactly that. They assumed memcmp returned a value in the range -128..127 - so they've assumed a char was sufficient. And many implementations do indeed return that, but unfortunately not all.

http://seclists.org/oss-sec/2012/q2/493:

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

Re:Like it matters!

[tuffy]

Firefox uses SQLite, which implements a database management system in a single file. It's not something anyone can connect to remotely.

Re:holy motherfucking cheetah

[SteveAyre]

They say you can get in by making 300 connection attempts, which can be done within a fraction of a second. Which is true.

They don't say that you have to do it within a fraction of a second.

The memcmp function has a 1/256 chance of returning the required value that makes it treat any password as the correct password - there's no link between the connection attempts, each time you try to connect you have the same 1/256 chance. You could space the attempts out over seveal minutes, hours or days if you wanted to - it'd just slow down the time it'd take you to get in (and make it more likely they've patched their systems before you get in).

Practically, this is slightly less newsworthy than it sounds. Yes the bug exists and yes it's serious, but it also depends on which memcmp version you're using on whether you're actually affected. The gcc builtin ones aren't affected or the libc ones, the glibc one is. That means whether it's exploitable depends on how your server was compiled. And it appears that the official versions from mysql.com aren't affected, and testing my debian systems today neither are they (but they're nicely firewalled anyway, just in case). Source: http://seclists.org/oss-sec/2012/q2/493

Re:holy motherfucking cheetah

[hairyfeet]

Oh c'mon now, where else can you get such nasty venom? You just gots to love stuff like this where he says ARM is nothing but "embedded crap" How can you NOT like such an arrogant little self important shit? hell he reminds me of little Mickey 500 accounts here, all he needs to do is add "You are pathetic" at the end of each post and he'd have it down pat!