Nmap Development: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22

[Paulino Calderon <paulino () calderonpale com>]

Hi list,
This weekend another critical vulnerability for MySQL and MariaDB 
servers was posted in seclists.org:
http://seclists.org/oss-sec/2012/q2/493

I guess this is still a draft since I haven't looked into including 
MariaDB in this script and there is more information that can be 
extracted from MySQL with this bug. All feedback is appreciated!

description = [[
Attempts to bypass authentication in MySQL and MariaDB servers by 
exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump 
the MySQL usernames and passwords. All MariaDB and MySQL versions up to 
5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable but depending if memcmp() returns an arbitrary integer 
outside of -128..127 range.
"When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not.  Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent."

Original public advisory:
* http://seclists.org/oss-sec/2012/q2/493
]]

--
-- @output
-- PORT     STATE SERVICE REASON
-- 3306/tcp open  mysql   syn-ack
-- | mysql-vuln-cve2012-2122:
-- |   VULNERABLE:
-- |   Authentication bypass in MySQL servers.
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2012-2122
-- |     Description:
-- |       When a user connects to MariaDB/MySQL, a token (SHA
-- |       over a password and a random scramble string) is calculated 
and compared
-- |       with the expected value. Because of incorrect casting, it 
might've
-- |       happened that the token and the expected value were 
considered equal,
-- |       even if the memcmp() returned a non-zero value. In this case
-- |       MySQL/MariaDB would think that the password is correct, even 
while it is
-- |       not.  Because the protocol uses random strings, the 
probability of
-- |       hitting this bug is about 1/256.
-- |       Which means, if one knows a user name to connect (and "root" 
almost
-- |       always exists), she can connect using *any* password by repeating
-- |       connection attempts. ~300 attempts takes only a fraction of 
second, so
-- |       basically account password protection is as good as nonexistent.
-- |     Disclosure date: 2012-06-9
-- |     Extra information:
-- |       Server granted access at iteration #204
-- |     root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
-- |     debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF
-- |     phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
-- |     References:
-- |       
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
-- |       http://seclists.org/oss-sec/2012/q2/493
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
--
-- @args mysql-cve2012-2122.user MySQL username. Default: root.
-- @args mysql-cve2012-2122.iterations Connection retries. Default: 1000.
-- @args mysql-cve2012-2122.socket_timeout Socket timeout. Default: 5000.
---



Cheers.

Attachment: mysql-vuln-cve2012-2122.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/