Home Home   Your IP: 3.238.202.76 Forum [Blog]

-: Exploits - Bugs - Vulnerabilities :-


MySQL Authentication Bypass Exploit

MySQL authentication bypass exploit code.
From: (bambam_at_pineapple.shacknet.nu)
Date: Thu, 8 Jul 2004 09:42:45 +0100 (BST)

Background
**********
Chris Anley (chris_at_ngssoftware.com) discovered an authentication bypass vulnerability in versions 4.1.0 - 4.1.2 and 5.0.0 of MySQL. His paper of Monday 5th July entitled "Hackproofing MySQL" included details of the vulnerability, along with other information on MySQL security issues, but included no exploit code.

In his paper he states that:

"This bug is relatively easy to exploit, although it is necessary to write a custom MySQL client in order to do so."

This seemed a little strange to me, as I just altered the mysql client's own source to include the attack.

Diffs are attached against version 5.0.0-alpha source distribution. (Since this is the distibution for "previewing and testing new features" ;-)

Mitigating Factors
******************
Chris pointed out the mitigating factors of this attack in his paper, but they are worth re-iterating:

1) The attacker must be able to connect to the mysql daemon.
2) The attacker must know a valid username for the mysql database.
3) The attacker must be connecting from a host valid for that username (localhost by default in the case of the 'root' mysql user).

Usage
*****
Download and Unpack the 5.0.0-alpha source from the mysql website, then patch the file sql-common/client.c with:

sql-common/ $ patch client.c mysql.authentication.bypass_client.c.diff
sql-common/ $ cd ..
mysql-5.0.0-alpha/ # ./confiugure
mysql-5.0.0-alpha/ # make

Then simply use the resultant client binary (mysql) as you would normally, with total disregard to the password you specify:

mysql-5.0.0-alpha/ $ ./client/mysqld -h hostname -u username
Just press enter at the password prompt - and if the server is vulnerable you should be logged in.

Tested against server version 5.0.0-alpha, but should work against the other vulnerable versions since the server code is the same :-)

Greetings
*********
to everyone in the uk scene, especially the whole brum crew (past and present), all the sheffield mormons (i'm doing this for satan), and to all those who don't believe in change for the better - may you be proven wrong in time.
bambam

--
Cry 'Socket(),' and let slip the packets of war;

TEXT/PLAIN attachment: the diff
Received on Jul 08 2004





© 2023 Insecure Lab, India.