[Owasp-manila] Security Flaw in MySQL

Owasp michael.dungog at owasp.org
Wed Jun 13 12:45:41 UTC 2012


Thanks Eugene, this is very informative. 

Adding owasp mailing list into the loop. 

Regards,

Michael Dungog
Chapter Leader, OWASP-Manila


On Jun 12, 2012, at 7:47 PM, Eugene Amador <ecamador at gmail.com> wrote:

> just want to share...
> ------------------------
> Introduction
>  
> On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol  generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.
>  
> In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.
>  
> $ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
> mysql>
> 
> ------------------------
> 
> Continue here (https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql)
> 
> ------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-manila/attachments/20120613/88b8b407/attachment.html>


More information about the Owasp-manila mailing list