Slashdot Mirror

← Back to Stories (view on slashdot.org)

MariaDB and MySQL Authentication Bypass Exploit

Posted by samzenpus on Monday June 11, 2012 @05:20AM from the protect-ya-neck dept.

JohnBert writes "A security bug in MariaDB and MySQL has been revealed, allowing a known username and password to access the master user table of a MySQL server and dump it into a locally-stored file. By using a tool like John the Ripper, this file can be easily cracked to reveal text passwords that can provide further access. By committing a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, you can access the database using the cracked password hashes even if the authentication bypass vulnerability is fixed."

3 of 73 comments (clear)

Min score:

Reason:

Sort:

holy motherfucking cheetah by gl4ss · 2012-06-11 05:23 · Score: 4, Insightful

"An attacker who knows a correct username (usually the ubiquitous "root") can easily connect using a random password by repeating connection attempts.
"~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," wrote Golubchik."
I guess the db shouldn't answer to any requests outside from known address space.. but still..

--
world was created 5 seconds before this post as it is.
1. Re:holy motherfucking cheetah by Anonymous Coward · 2012-06-11 05:28 · Score: 5, Insightful
  
  And that is why we use fail2ban.
Re:Could have told us what it is by Anonymous Coward · 2012-06-11 05:45 · Score: 5, Insightful

They are casting the result of int strcmp to my_bool, which they have defined as typedef char my_bool.
Since int is bigger than char, you have really lots of ints than can be 0 when casted to char.