
Massive MYSQL Authentication Bypass Exploit - nreece
https://www.secmaniac.com/blog/2012/06/11/massive-mysql-authentication-bypass-exploit/
======
mmaunder
Exec summary:

Simply trying to connect to some MySQL servers many times with a valid user
account will drop you into that user account. The bug has a one in 256
probability of occurring. Whether or not your system is vulnerable depends on
the kind of memcmp() your MySQL was built with.

Summary:

-snip-

When a user connects to MariaDB/MySQL, a token (SHA over a password and a
random scramble string) is calculated and compared with the expected value.
Because of incorrect casting, it might've happened that the token and the
expected value were considered equal, even if the memcmp() returned a non-zero
value. In this case MySQL/MariaDB would think that the password is correct,
even while it is not. Because the protocol uses random strings, the
probability of hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost always
exists), she can connect using _any_ password by repeating connection
attempts. ~300 attempts takes only a fraction of second, so basically account
password protection is as good as nonexistent. Any client will do, there's no
need for a special libmysqlclient library.

But practically it's better than it looks - many MySQL/MariaDB builds are not
affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on how
and where it was built. A prerequisite is a memcmp() that can return an
arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin
memcmp is safe, BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is
not safe, but gcc usually uses the inlined builtin version.

As far as I know, official vendor MySQL and MariaDB binaries are not
vulnerable.

-snip-

------
nodata
Discussion here: <http://news.ycombinator.com/item?id=4092849>

------
kaitnieks
More info seems to be here: <http://seclists.org/oss-sec/2012/q2/493>

------
emilw
I can confirm this works, stock MySQL on Debian Wheezy.

Linux hostname 3.2.0-2-amd64 #1 SMP Tue Mar 20 18:36:37 UTC 2012 x86_64
GNU/Linux MySQL Server version: 5.1.61-3-log (Debian)

~~~
fla
Works on default aptitude package in Ubuntu 12.04 x86_64

mysql : 14.14 - 5.5.22 kernel : 3.2.0-23-generic

------
kba
I can't seem to reproduce on MySQL 5.1.61-0+squeeze1.

