Date: Wed, 9 Feb 2000 07:12:37 -0800
From: Elias Levy <[email protected]>
To: [email protected]Subject: Remote access vulnerability in all MySQL server versions
----- Forwarded message from Michael Widenius <[email protected]> -----
From: Michael Widenius <[email protected]>
Message-ID: <[email protected]>
Date: Wed, 9 Feb 2000 16:07:56 +0200 (EET)
To: Elias Levy <[email protected]>
Subject: Remote access vulnerability in all MySQL server versions
X-Mailer: VM 6.72 under 21.1 (patch 7) "Biscayne" XEmacs Lucid
Reply-To: [email protected]
Hi!
>>>>> "Elias" == Elias Levy <[email protected]> writes:
Elias> Hi,
Elias> Below you find a security advisory i wrote concerning a vulnerability found in
Elias> all (known to me) mysql server versions, including the latest one.
Elias> As mysql is a widely used sql platform, i strongly advise everyone using it
Elias> to read it, and fix where appropriate.
Elias> This email has been bcc'd to the mysql bug list, and other appropriate parties.
Elias> Greets,
Elias> Robert van der Meulen/Emphyrio
Elias> .Introduction.
Elias> There exists a vulnerability in the password checking routines in the latest
Elias> versions of the MySQL server, that allows any user on a host that is allowed
Elias> to connect to the server, to skip password authentication, and access databases.
Elias> For the exploit to work, a valid username for the mysql server is needed, and
Elias> this username must have access to the database server, when connecting from
Elias> the attacking host.
<cut>
Thanks to for finding this!
The official patch to fix this follows:
*** /my/monty/master/mysql-3.23.10-alpha/sql/sql_parse.cc Sun Jan 30 10:42:42 2000
--- ./sql_parse.cc Wed Feb 9 16:05:49 2000
***************
*** 17,22 ****
--- 17,24 ----
#include <m_ctype.h>
#include <thr_alarm.h>
+ #define SCRAMBLE_LENGTH 8
+
extern int yyparse(void);
extern "C" pthread_mutex_t THR_LOCK_keycache;
***************
*** 188,195 ****
end=strmov(buff,server_version)+1;
int4store((uchar*) end,thd->thread_id);
end+=4;
! memcpy(end,thd->scramble,9);
! end+=9;
#ifdef HAVE_COMPRESS
client_flags |= CLIENT_COMPRESS;
#endif /* HAVE_COMPRESS */
--- 190,197 ----
end=strmov(buff,server_version)+1;
int4store((uchar*) end,thd->thread_id);
end+=4;
! memcpy(end,thd->scramble,SCRAMBLE_LENGTH+1);
! end+=SCRAMBLE_LENGTH +1;
#ifdef HAVE_COMPRESS
client_flags |= CLIENT_COMPRESS;
#endif /* HAVE_COMPRESS */
***************
*** 268,273 ****
--- 270,277 ----
char *user= (char*) net->read_pos+5;
char *passwd= strend(user)+1;
char *db=0;
+ if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+ return ER_HANDSHAKE_ERROR;
if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
db=strend(passwd)+1;
if (thd->client_capabilities & CLIENT_INTERACTIVE)
I will make a new MySQL release with this fix during this week!
Elias> .Commentary.
Elias> I think this exploit should not be a very scary thing to people that know
Elias> how to secure their servers.
Elias> In practice, there's almost never a need to allow the whole world to connect
Elias> to your SQL server, so that part of the deal should be taken care of.
Elias> As long as your MySQL ACL is secure, this problem doesn't really occur (unless
Elias> your database server doubles as a shell server).
Elias> We have also located several other security bugs in mysql server/client. These
Elias> bugs can only be exploited by users who have a valid username and password.
Elias> We will send these to the mysql maintainers, and hope they'll come
Elias> with a fix soon.
Yes, please send them to me or [email protected] (our internal
developers list).
Regards,
Monty
----- End forwarded message -----
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
