4678397 2000-01-14 03:07 /23 rader/ Postmaster
Mottagare: Bugtraq (import) <9283>
Ärende: New MySQL Available
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Message-ID: <003201bf5dff$09587920$0b01a8c0@digitalanarchy.com>
Date: Thu, 13 Jan 2000 13:47:33 -0600
Reply-To: Scott <romracer@MAIL.UTEXAS.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Scott <romracer@MAIL.UTEXAS.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
MySQL 3.22.30 has been released for all available platforms. To
quote the CHANGELOG, "Fixed critical problem with the WITH GRANT
OPTION option." Someone can clean up this post but I wanted to get
it out there so all of us MySQL and website administrators can get
upgraded.
Scott
(4678397) ------------------------------------------(Ombruten)
4777064 2000-02-09 07:31 /153 rader/ Postmaster
Mottagare: Bugtraq (import) <9701>
Ärende: Remote access vulnerability in all MySQL server versions
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/1.0pre4i
Message-ID: <20000208200332.A4727@cistron.nl>
Date: Tue, 8 Feb 2000 20:03:32 +0100
Reply-To: Robert van der Meulen <rvdm@CISTRON.NL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Robert van der Meulen <rvdm@CISTRON.NL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Below you find a security advisory i wrote concerning a vulnerability
found in all (known to me) mysql server versions, including the
latest one. As mysql is a widely used sql platform, i strongly
advise everyone using it to read it, and fix where appropriate. This
email has been bcc'd to the mysql bug list, and other appropriate
parties.
Greets,
Robert van der Meulen/Emphyrio
.Introduction.
There exists a vulnerability in the password checking routines in the
latest versions of the MySQL server, that allows any user on a host
that is allowed to connect to the server, to skip password
authentication, and access databases. For the exploit to work, a
valid username for the mysql server is needed, and this username must
have access to the database server, when connecting from the
attacking host.
.Vulnerable Systems.
All systems running 3.22.26a and up (tested). Probably all systems
running lower versions as well (not tested, not reviewed). All
versions are vulnerable on all platforms.
.A snippet of code from the mysql code, explaining password
authentication **
From mysql-3.22.26a/sql/password.c:
/* password checking routines */
/*****************************************************************************
The main idea is that no password are sent between client & server on
connection and that no password are saved in mysql in a decodable form.
On connection a random string is generated and sent to the client.
The client generates a new string with a random generator inited
with the hash values from the password and the sent string. This
'check' string is sent to the server where it is compared with a
string generated from the stored hash_value of the password and the
random string.
<cut>
*****************************************************************************/
.More code, and vulnerability explanation.
The problem is, that in the comparison between the 'check' string,
and the string generated from the hash_value of the password and the
random string, the following code is used (from
mysql-3.22.26a/sql/password.c):
while (*scrambled)
{
if (*scrambled++ != (char) (*to++ ^ extra))
return 1; /* Wrong password */
}
'scrambled' represents the 'check' value, and (*to++ ^ extra) walks
trough the hash_value. Suppose a client would send a _single_
character to the server as the 'check' string. Of course the server
should notice the check string is not the same length as the check
string needed, and give a password error. Because no such checks are
done, when a check string of length 1 is passed to the server, only
one character is compared. So the only thing that remains to know if
we want to peek in someone's MySQL database, is a technique to find
out the first character of the server-side check string.
The string that's used for the comparison is generated using some
random data, so two following authenticate-actions will probably use
different check-strings. After looking at the algorithm, generating
the check string, it becomes clear that there are actually only 32
possibilities for each character.
In practice, this means that if you connect, sending one single
character as the check string, you will be in in about 32 tries
maximum.
.Impact.
Hosts in the access list (by default any host, on a lot of
distributions and servers) can connect to the MySQL server, without a
password, and access (often sensitive) data _as long as the attacker
has a valid username for the database server_. This vulnerability
also incorporates a MySQL DoS attack, as the attacker can shutdown
database servers and delete data, if she logs in with the MySQL
management account.
.Exploit information.
I have an exploit available, but to defer script kiddies i will not
release it (yet). Do not ask me for it. If above explanation is
understood, an exploit should be easy enough...
.Fix information.
Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c
to do a length check, _before_ starting the compare. This should be
as easy as inserting the following just above the while (*scrambled)
loop:
if (strlen(scrambled)!=strlen(to)) {
return 1;
}
WARNING: This is NOT an official fix. You can use this as a temporary
solution to the problem. Please check the official mysql site
(www.mysql.org) for a fix.
.Commentary.
I think this exploit should not be a very scary thing to people that
know how to secure their servers. In practice, there's almost never
a need to allow the whole world to connect to your SQL server, so
that part of the deal should be taken care of. As long as your MySQL
ACL is secure, this problem doesn't really occur (unless your
database server doubles as a shell server).
We have also located several other security bugs in mysql
server/client. These bugs can only be exploited by users who have a
valid username and password. We will send these to the mysql
maintainers, and hope they'll come with a fix soon.
Yours,
Robert van der Meulen/Emphyrio (rvdm@cistron.nl)
Willem Pinckaers (dvorak@synnergy.net)
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
(4777064) ------------------------------------------(Ombruten)
Kommentar i text 4777976
4779196 2000-02-09 16:25 /128 rader/ Postmaster
Mottagare: Bugtraq (import) <9716>
Markerad av 1 person.
Ärende: Remote access vulnerability in all MySQL server versions
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000209071237.C24382@securityfocus.com>
Date: Wed, 9 Feb 2000 07:12:37 -0800
Reply-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
----- Forwarded message from Michael Widenius <monty@monty.pp.sci.fi> -----
From: Michael Widenius <monty@monty.pp.sci.fi>
Message-ID: <14497.29884.464639.784337@monty.pp.sci.fi>
Date: Wed, 9 Feb 2000 16:07:56 +0200 (EET)
To: Elias Levy <aleph1@securityfocus.com>
Subject: Remote access vulnerability in all MySQL server versions
X-Mailer: VM 6.72 under 21.1 (patch 7) quot;Biscaynequot; XEmacs Lucid
Reply-To: monty@tcx.se
Hi!
>>>>> quot;Eliasquot; == Elias Levy <aleph1@securityfocus.com> writes:
Elias> Hi,
Elias> Below you find a security advisory i wrote concerning a
vulnerability found in Elias> all (known to me) mysql server
versions, including the latest one. Elias> As mysql is a widely used
sql platform, i strongly advise everyone using it Elias> to read it,
and fix where appropriate. Elias> This email has been bcc'd to the
mysql bug list, and other appropriate parties.
Elias> Greets,
Elias> Robert van der Meulen/Emphyrio
Elias> .Introduction.
Elias> There exists a vulnerability in the password checking routines
in the latest Elias> versions of the MySQL server, that allows any
user on a host that is allowed Elias> to connect to the server, to
skip password authentication, and access databases. Elias> For the
exploit to work, a valid username for the mysql server is needed, and
Elias> this username must have access to the database server, when
connecting from Elias> the attacking host.
<cut>
Thanks to for finding this!
The official patch to fix this follows:
*** /my/monty/master/mysql-3.23.10-alpha/sql/sql_parse.cc Sun
Jan 30 10:42:42 2000
--- ./sql_parse.cc Wed Feb 9 16:05:49 2000
***************
*** 17,22 ****
--- 17,24 ----
#include <m_ctype.h>
#include <thr_alarm.h>
+ #define SCRAMBLE_LENGTH 8
+
extern int yyparse(void);
extern quot;Cquot; pthread_mutex_t THR_LOCK_keycache;
***************
*** 188,195 ****
end=strmov(buff,server_version)+1;
int4store((uchar*) end,thd->thread_id);
end+=4;
! memcpy(end,thd->scramble,9);
! end+=9;
#ifdef HAVE_COMPRESS
client_flags |= CLIENT_COMPRESS;
#endif /* HAVE_COMPRESS */
--- 190,197 ----
end=strmov(buff,server_version)+1;
int4store((uchar*) end,thd->thread_id);
end+=4;
! memcpy(end,thd->scramble,SCRAMBLE_LENGTH+1);
! end+=SCRAMBLE_LENGTH +1;
#ifdef HAVE_COMPRESS
client_flags |= CLIENT_COMPRESS;
#endif /* HAVE_COMPRESS */
***************
*** 268,273 ****
--- 270,277 ----
char *user= (char*) net->read_pos+5;
char *passwd= strend(user)+1;
char *db=0;
+ if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+ return ER_HANDSHAKE_ERROR;
if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
db=strend(passwd)+1;
if (thd->client_capabilities & CLIENT_INTERACTIVE)
I will make a new MySQL release with this fix during this week!
Elias> .Commentary.
Elias> I think this exploit should not be a very scary thing to
people that know Elias> how to secure their servers.
Elias> In practice, there's almost never a need to allow the whole
world to connect Elias> to your SQL server, so that part of the deal
should be taken care of. Elias> As long as your MySQL ACL is secure,
this problem doesn't really occur (unless Elias> your database server
doubles as a shell server).
Elias> We have also located several other security bugs in mysql
server/client. These Elias> bugs can only be exploited by users who
have a valid username and password. Elias> We will send these to the
mysql maintainers, and hope they'll come Elias> with a fix soon.
Yes, please send them to me or mysql_all@mysql.com (our internal
developers list).
Regards,
Monty
----- End forwarded message -----
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
(4779196) ------------------------------------------(Ombruten)
4797003 2000-02-14 18:57 /60 rader/ Postmaster
Mottagare: Bugtraq (import) <9754>
Ärende: MySQL 3.22.32 released (fwd)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSO.4.21.0002141636590.27495-100000@birdie.sekure.net>
Date: Mon, 14 Feb 2000 16:37:45 +0100
Reply-To: Jonas Eriksson <je@SEKURE.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Jonas Eriksson <je@SEKURE.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
--
Jonas Eriksson
je@sekure.net
---------- Forwarded message ----------
Date: Mon, 14 Feb 2000 15:02:46 +0200 (EET)
From: Michael Widenius <monty@monty.pp.sci.fi>
Reply-To: monty@tcx.se
To: announce@lists.mysql.com
Subject: MySQL 3.22.32 released
Hi!
MySQL 3.22.32 fixes a couple of possible security holes in MySQL 3.22
and we strongly recommend everyone to upgrade to them.
Changes in release 3.22.32
--------------------------
* Fixed problem when storing numbers in timestamps.
* Fix problem with timezones that has half hour offsets.
* `mysqlhotcopy' - fast on-line hot-backup utility for local *MySQL*
databases. By Tim Bunce.
* New more secure `mysqlaccess'; Thanks to Steve Harvey for this.
* Fixed security problem in the protocol regarding password
checking.
* Fixed problem that affected queries that did arithmetic on GROUP
functions.
* Fixed a bug in the `ISAM' code when delating rows on tables with
packed indexes.
3.23.x will be released within a couple of days (We only have to
check that the new CHECK and REPAIR commands works properly before
doing a release)
Note that if you get a file not found error when trying to download,
this just means that the mirror you are using is not yet up to date;
In this case wait a couple of hours and try again.
Regards,
Monty
(4797003) ------------------------------------------(Ombruten)