Date: Wed, 9 Feb 2000 07:12:37 -0800 From: Elias Levy <aleph1@SECURITYFOCUS.COM> Subject: Remote access vulnerability in all MySQL server versions To: BUGTRAQ@SECURITYFOCUS.COM ----- Forwarded message from Michael Widenius <monty@monty.pp.sci.fi> ----- From: Michael Widenius <monty@monty.pp.sci.fi> Message-ID: <14497.29884.464639.784337@monty.pp.sci.fi> Date: Wed, 9 Feb 2000 16:07:56 +0200 (EET) To: Elias Levy <aleph1@securityfocus.com> Subject: Remote access vulnerability in all MySQL server versions X-Mailer: VM 6.72 under 21.1 (patch 7) "Biscayne" XEmacs Lucid Reply-To: monty@tcx.se Hi! >>>>> "Elias" == Elias Levy <aleph1@securityfocus.com> writes: Elias> Hi, Elias> Below you find a security advisory i wrote concerning a vulnerability found in Elias> all (known to me) mysql server versions, including the latest one. Elias> As mysql is a widely used sql platform, i strongly advise everyone using it Elias> to read it, and fix where appropriate. Elias> This email has been bcc'd to the mysql bug list, and other appropriate parties. Elias> Greets, Elias> Robert van der Meulen/Emphyrio Elias> .Introduction. Elias> There exists a vulnerability in the password checking routines in the latest Elias> versions of the MySQL server, that allows any user on a host that is allowed Elias> to connect to the server, to skip password authentication, and access databases. Elias> For the exploit to work, a valid username for the mysql server is needed, and Elias> this username must have access to the database server, when connecting from Elias> the attacking host. <cut> Thanks to for finding this! The official patch to fix this follows: *** /my/monty/master/mysql-3.23.10-alpha/sql/sql_parse.cc Sun Jan 30 10:42:42 2000 --- ./sql_parse.cc Wed Feb 9 16:05:49 2000 *************** *** 17,22 **** --- 17,24 ---- #include <m_ctype.h> #include <thr_alarm.h> + #define SCRAMBLE_LENGTH 8 + extern int yyparse(void); extern "C" pthread_mutex_t THR_LOCK_keycache; *************** *** 188,195 **** end=strmov(buff,server_version)+1; int4store((uchar*) end,thd->thread_id); end+=4; ! memcpy(end,thd->scramble,9); ! end+=9; #ifdef HAVE_COMPRESS client_flags |= CLIENT_COMPRESS; #endif /* HAVE_COMPRESS */ --- 190,197 ---- end=strmov(buff,server_version)+1; int4store((uchar*) end,thd->thread_id); end+=4; ! memcpy(end,thd->scramble,SCRAMBLE_LENGTH+1); ! end+=SCRAMBLE_LENGTH +1; #ifdef HAVE_COMPRESS client_flags |= CLIENT_COMPRESS; #endif /* HAVE_COMPRESS */ *************** *** 268,273 **** --- 270,277 ---- char *user= (char*) net->read_pos+5; char *passwd= strend(user)+1; char *db=0; + if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) + return ER_HANDSHAKE_ERROR; if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) db=strend(passwd)+1; if (thd->client_capabilities & CLIENT_INTERACTIVE) I will make a new MySQL release with this fix during this week! Elias> .Commentary. Elias> I think this exploit should not be a very scary thing to people that know Elias> how to secure their servers. Elias> In practice, there's almost never a need to allow the whole world to connect Elias> to your SQL server, so that part of the deal should be taken care of. Elias> As long as your MySQL ACL is secure, this problem doesn't really occur (unless Elias> your database server doubles as a shell server). Elias> We have also located several other security bugs in mysql server/client. These Elias> bugs can only be exploited by users who have a valid username and password. Elias> We will send these to the mysql maintainers, and hope they'll come Elias> with a fix soon. Yes, please send them to me or mysql_all@mysql.com (our internal developers list). Regards, Monty ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/