Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 11 Jun 2012 02:30:09 -0600

On 06/11/2012 02:26 AM, Paulino Calderon wrote:
Hi list,
This weekend another critical vulnerability for MySQL and MariaDB servers was posted in seclists.org:
http://seclists.org/oss-sec/2012/q2/493

I guess this is still a draft since I haven't looked into including MariaDB in this script and there is more information that can be extracted from MySQL with this bug. All feedback is appreciated!


description = [[
Attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and passwords. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable but depending if memcmp() returns an arbitrary integer outside of -128..127 range.

"When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not.  Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent."

Original public advisory:
* http://seclists.org/oss-sec/2012/q2/493
]]

--
-- @output
-- PORT     STATE SERVICE REASON
-- 3306/tcp open  mysql   syn-ack
-- | mysql-vuln-cve2012-2122:
-- |   VULNERABLE:
-- |   Authentication bypass in MySQL servers.
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2012-2122
-- |     Description:
-- |       When a user connects to MariaDB/MySQL, a token (SHA
-- | over a password and a random scramble string) is calculated and compared -- | with the expected value. Because of incorrect casting, it might've -- | happened that the token and the expected value were considered equal,
-- |       even if the memcmp() returned a non-zero value. In this case
-- | MySQL/MariaDB would think that the password is correct, even while it is -- | not. Because the protocol uses random strings, the probability of
-- |       hitting this bug is about 1/256.
-- | Which means, if one knows a user name to connect (and "root" almost -- | always exists), she can connect using *any* password by repeating -- | connection attempts. ~300 attempts takes only a fraction of second, so -- | basically account password protection is as good as nonexistent.
-- |     Disclosure date: 2012-06-9
-- |     Extra information:
-- |       Server granted access at iteration #204
-- |     root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
-- |     debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF
-- |     phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
-- |     References:
-- | https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
-- |       http://seclists.org/oss-sec/2012/q2/493
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
--
-- @args mysql-cve2012-2122.user MySQL username. Default: root.
-- @args mysql-cve2012-2122.iterations Connection retries. Default: 1000.
-- @args mysql-cve2012-2122.socket_timeout Socket timeout. Default: 5000.
---



Cheers.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
I was looking at the different vuln states in the "vulns" library and forgot to revert the script. Here is the correct version.

Cheers!

Attachment: mysql-vuln-cve2012-2122.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]