MySQL flaw allows cybercriminals to connect to the server

An elementary but very serious MariaDB and MySQL authentication flaw was  found by security chief at MariaDB, Sergei Golubchik, and there are already exploits that target found on the internet.

“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256,” Golubchik said.

An cybercrook that knows the username (and usually it is “root”) will easily connect if he uses a random password if the connection attempt is repeated.

“~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” explained Golubchik.

There are also good news: only MariaDB and MySQL versions untill 5.1.61, 5.2.11, 5.3.5, 5.5.22 have this vulnerability so users are advised to implement the patches ASAP. (MariaDB patch , MySQL patch )

HD Moore from Metasploit confirmed that untill now, 64-bit versions of Ubuntu Linux, OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have vulnerable versions of MySQL while Debian, Gentoo, CentOS and SuSE versions – as well as the official builds from MySQL and MariaDB do not seem to be affected.

“If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come,” he said. ”One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored ‘loot’ file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.”

Also he said that one of the contributors of Metasploit created a threaded module that uses brute-force that will abuse the bypass flaw in order to dump the database containing the passwords thus making it possible to query the database with the leaked password hashes even if the flaw is patched.

The advice for IT admins is not to expose their MySQL servers to the network if not neccessary, still if it must be done they should use host-based access control.