Home page logo

bugtraq logo Bugtraq mailing list archives

Remote access vulnerability in all MySQL server versions
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Wed, 9 Feb 2000 07:12:37 -0800

----- Forwarded message from Michael Widenius <monty () monty pp sci fi> -----

From: Michael Widenius <monty () monty pp sci fi>
Message-ID: <14497.29884.464639.784337 () monty pp sci fi>
Date: Wed, 9 Feb 2000 16:07:56 +0200 (EET)
To: Elias Levy <aleph1 () securityfocus com>
Subject: Remote access vulnerability in all MySQL server versions
X-Mailer: VM 6.72 under 21.1 (patch 7) "Biscayne" XEmacs Lucid
Reply-To: monty () tcx se


"Elias" == Elias Levy <aleph1 () securityfocus com> writes:

Elias> Hi,

Elias> Below you find a security advisory i wrote concerning a vulnerability found in
Elias> all (known to me) mysql server versions, including the latest one.
Elias> As mysql is a widely used sql platform, i strongly advise everyone using it
Elias> to read it, and fix where appropriate.
Elias> This email has been bcc'd to the mysql bug list, and other appropriate parties.

Elias> Greets,
Elias>  Robert van der Meulen/Emphyrio

Elias> .Introduction.

Elias> There exists a vulnerability in the password checking routines in the latest
Elias> versions of the MySQL server, that allows any user on a host that is allowed
Elias> to connect to the server, to skip password authentication, and access databases.
Elias> For the exploit to work, a valid username for the mysql server is needed, and
Elias> this username must have access to the database server, when connecting from
Elias> the attacking host.


Thanks to for finding this!

The official patch to fix this follows:

*** /my/monty/master/mysql-3.23.10-alpha/sql/sql_parse.cc       Sun Jan 30 10:42:42 2000
--- ./sql_parse.cc      Wed Feb  9 16:05:49 2000
*** 17,22 ****
--- 17,24 ----
  #include <m_ctype.h>
  #include <thr_alarm.h>

  extern int yyparse(void);
  extern "C" pthread_mutex_t THR_LOCK_keycache;

*** 188,195 ****
      int4store((uchar*) end,thd->thread_id);
!     memcpy(end,thd->scramble,9);
!     end+=9;
      client_flags |= CLIENT_COMPRESS;
  #endif /* HAVE_COMPRESS */
--- 190,197 ----
      int4store((uchar*) end,thd->thread_id);
!     memcpy(end,thd->scramble,SCRAMBLE_LENGTH+1);
!     end+=SCRAMBLE_LENGTH +1;
      client_flags |= CLIENT_COMPRESS;
  #endif /* HAVE_COMPRESS */
*** 268,273 ****
--- 270,277 ----
    char *user=   (char*) net->read_pos+5;
    char *passwd= strend(user)+1;
    char *db=0;
+   if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+     return ER_HANDSHAKE_ERROR;
    if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
    if (thd->client_capabilities & CLIENT_INTERACTIVE)

I will make a new MySQL release with this fix during this week!

Elias> .Commentary.

Elias> I think this exploit should not be a very scary thing to people that know
Elias> how to secure their servers.

Elias> In practice, there's almost never a need to allow the whole world to connect
Elias> to your SQL server, so that part of the deal should be taken care of.
Elias> As long as your MySQL ACL is secure, this problem doesn't really occur (unless
Elias> your database server doubles as a shell server).

Elias> We have also located several other security bugs in mysql server/client. These
Elias> bugs can only be exploited by users who have a valid username and password.
Elias> We will send these to the mysql maintainers, and hope they'll come
Elias> with a fix soon.

Yes, please send them to me or mysql_all () mysql com (our internal
developers list).


----- End forwarded message -----

Elias Levy

  By Date           By Thread  

Current thread:
  • Remote access vulnerability in all MySQL server versions Elias Levy (Feb 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]