MariaDB and MySQL Authentication Bypass Exploit

JohnBert writes "A security bug in MariaDB and MySQL has been revealed, allowing a known username and password to access the master user table of a MySQL server and dump it into a locally-stored file. By using a tool like John the Ripper, this file can be easily cracked to reveal text passwords that can provide further access. By committing a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, you can access the database using the cracked password hashes even if the authentication bypass vulnerability is fixed."

Re:Could have told us what it is

[autocracy]

Well, let's explain it right: the compare function uses a variable type cast that paired with certain compiler flags will improperly reduce a larger number storage to an 8 bit interger. memcmp returns 0 when there's a match, any other value otherwise. When some larger number is interpreted as a character and that number is mod(256), then you get a zero when you truncate the leading numbers.

Since the hashing function in MySQL has some variable used every time, you get a different number every time that returns a mismatch. 1 in 256 of those mismatches gets reduced to a number that is represented by a zero... which is appropriate to the cast function, but causes issues when used with memcmp.