CVE-2012-2122: Security vulnerability in MySQL/MariaDB sql/pa

  • A+
所属分类:WooYun-Zone

原文:

http://seclists.org/oss-sec/2012/q2/493

From: Sergei Golubchik <serg () montyprogram com>

Date: Sat, 9 Jun 2012 17:30:38 +0200

Hi

We have recently found a serious security bug in MariaDB and MySQL.

So, here, we'd like to let you know about what the issue and its impact

is. At the end you can find a patch, in case you need to patch an older

unsuported MySQL version.

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are

vulnerable.

MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.

MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

This issue got assigned an id CVE-2012-2122.

Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA

over a password and a random scramble string) is calculated and compared

with the expected value. Because of incorrect casting, it might've

happened that the token and the expected value were considered equal,

even if the memcmp() returned a non-zero value. In this case

MySQL/MariaDB would think that the password is correct, even while it is

not.  Because the protocol uses random strings, the probability of

hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost

always exists), she can connect using *any* password by repeating

connection attempts. ~300 attempts takes only a fraction of second, so

basically account password protection is as good as nonexistent.

Any client will do, there's no need for a special libmysqlclient library.

But practically it's better than it looks - many MySQL/MariaDB builds

are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on

how and where it was built. A prerequisite is a memcmp() that can return

an arbitrary integer (outside of -128..127 range). To my knowledge gcc

builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc

sse-optimized memcmp is not safe, but gcc usually uses the inlined

builtin version.

As far as I know, official vendor MySQL and MariaDB binaries are not

vulnerable.(至少我目前知道的情况是,MySQL and MariaDB官方编译的二进制版本没有这个漏洞)

Regards,

Sergei Golubchik

MariaDB Security Coordinator

References:

MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212

MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144

MySQL bug report: http://bugs.mysql.com/bug.php?id=64884

MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17

MySQL changelog:

  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html

  http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

另还有国内分析:

http://weibo.com/1414664021/ynmCN9Uoy

http://weibo.com/1414664021/ynmLF4mOR

虽然看上去利用概率似乎极低,不过喜欢自己搞编译的人是否感觉到已经一身弹孔 -_-||

  1. 1#

    蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-06-11 13:36

    你妹。。我一般自己编译

  2. 2#

    GaRY | 2012-06-11 14:20

    To my knowledge gcc
    builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
    sse-optimized memcmp is not safe, but gcc usually uses the inlined
    builtin version.

    自己编译也一般没问题,别乱改makefile的cflags就好了。

  3. 3#

    GaRY | 2012-06-11 14:21

    不过这个漏洞的发现思路很有意思,值得推广到各个方面。

  4. 4#

    rayh4c | 2012-06-11 15:14

    https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

  5. 5#

    PiaCa (ﻬ10wb 求把 PiaCa 改成 piaca) | 2012-06-11 16:39

    能重现这个环境么?编译的时候加上 -fno-builtin 然后安装好只有再看编译参数发现没有这个选项。

  6. 6#

    horseluke (微碌) | 2012-06-11 16:45

    @rayh4c Ubuntu 64-bit中枪真多……看来我低估了……

  7. 7#

    linxinsnow[N.N.U] | 2012-06-11 17:30

    @GaRY 严重同意! 这种漏洞很容易出现在跨平台编程中,比如linux下和win下在标准c库实现上的不同就会出现这样的问题,作为一个研究课题来进行漏洞挖掘,应该有不少好玩的东西

  8. 8#

    鱼化石 (“>’><iframe/src=//g.cn>) | 2012-06-11 17:31

    关注ing

  9. 9#

    g0t3n | 2012-06-11 19:53

    @GaRY 问题的成因貌似是因为sha加密的时候使用了初始化向量,那个算法刚好令到个错误的密码的sha值和正确的密码的sha值相同而造成的?

  10. 10#

    horseluke (微碌) | 2012-06-11 21:34

    @g0t3n 不是。见今早微博的snnn 源代码分析:http://www.sunchangming.com/blog/?p=4260
    @PiaCa ,你要不问问snnn(http://weibo.com/1414664021/ynmBk8mpe )

  11. 11#

    her0ma | 2012-06-11 22:10

    刚按照某网站上的py脚本测试,执行了半天也没成功.
    1/256,貌似要执行N多次才有可能啊.

  12. 12#

    xsser | 2012-06-11 22:27

    @her0ma @horseluke 坐等测试成功案例

  13. 13#

    horseluke (微碌) | 2012-06-11 22:36

    @xsser ,@PiaCa 貌似在ubuntu上用apt安装上测试成功了

  14. 14#

    xsser | 2012-06-11 22:47

    @horseluke 确认么?给个截图吧,如果影响大乌云应该发通告了

  15. 15#

    PiaCa (ﻬ10wb 求把 PiaCa 改成 piaca) | 2012-06-11 23:28

    @xsser 确认啊

  16. 16#

    PiaCa (ﻬ10wb 求把 PiaCa 改成 piaca) | 2012-06-11 23:49

    @xsser http://ww4.sinaimg.cn/large/8fd42c5djw1dtunhew1cdj.jpg

  17. 17#

    horseluke (微碌) | 2012-06-12 01:14

    以下为漏洞测试方法汇总。

    MSF:https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb

    batch(无错误回显):
    $ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

    batch(全部回显):
    $ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1>/dev/null; done

    python:
    #!/usr/bin/python
    import subprocess

    while 1:
            subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()

    来源:http://www.freebuf.com/vuls/3815.html

  18. 18#

    her0ma | 2012-06-23 15:02

    @horseluke 有木有能成功的mysql版本?我用python脚本测试了很长时间,都没成功.

  19. 19#

    坏虾 (黑阔都被爆菊花~) | 2012-06-25 08:36

    mysql> select @@version;
    +———————+
    | @@version           |
    +———————+
    | 5.5.22-community-nt |
    +———————+
    1 row in set (0.05 sec)

    测试成功

  20. 20#

    _Evil (科普是一种公益行为) | 2012-06-25 13:28

    @all 版本问题解决了,没开外链解决没 。。。

  21. 21#

    紫梦芊 ( ̄. ̄) | 2012-07-10 09:13

    @linxinsnow[N.N.U] 是的 跨平台时常在 编码 位上出现些隐藏问题 只是很多没被人发现或不值得利用而已