Authentication bypass if auth_socket installed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
Critical
|
Sergei Glushchenko | ||
5.5 |
Fix Released
|
Critical
|
Sergei Glushchenko | ||
5.6 |
Fix Released
|
Critical
|
Sergei Glushchenko |
Bug Description
After installing the auth_socket plugin all local users might get root access to the mysql server.
How to replicate the bug:
install mysql with a clean database
Run the following query in the database
install plugin auth_socket soname "auth_socket.so";
update user set plugin=
drop user 'root'@'::1';
drop user ''@'::localhost';
drop user ''@'localhost';
drop user ''@'localhost.
drop user 'root'@
flush privileges;
You should now be able to login as root only when your unix username match root.
The problem is that with this setup a normal user without a mysql user can login to the database as root.
When running mysql from a user that should not have access to the database I get the following:
mysql> select user(),
+------
| user() | current_user() |
+------
| vike@localhost | root@127.0.0.1 |
+------
1 row in set (0.00 sec)
There seems to be a bug with some variable not being initialised properly.
Here is what I got while trying to understand what is happening:
The system first try to login with the correct user and an empty password.
This fail so the system pick a random user (which is the root user in this case) and set the flag make_it_fail.
The system then check the next authentication plugin.
The test for auth plugin succeed since the username sent to MySQL is the same as the user logged on the server.
MySQL then go to give access to the server to this user with the authenticated_as still set by the previous failed login.
Here is a dump of mpvio in this case:
$55 = {<st_plugin_vio> = {
read_packet = 0x6832f0 <server_
write_packet = 0x6797d0 <server_
info = 0x678250 <server_
auth_info = {user_name = 0x7f27a4004c40 "vike", user_name_length = 4,
auth_string = 0x7f27a4004d90 "", auth_string_length = 0,
authenticat
external_user = '\000' <repeats 511 times>, password_used = 2,
host_or_ip = 0xb73ab8 "localhost", host_or_ip_length = 9},
acl_user = 0x7f27a4004c70, plugin = 0x21fdd60, db = {
str = 0x7f27a4004c30 "", length = 0},
cached_client_reply = {plugin = 0x278f506 "mysql_
cached_
packets_read = 1,
packets_written = 1,
make_it_fail = true,
status = MPVIO_EXT::FAILURE,
client_capabilities = 8365701,
scramble = 0x2677184 "#(?DyTvvmA<
mem_root = 0x26786c0,
rand = 0x2675648,
thread_id = 14,
server_status = 0x2677114,
net = 0x2675270,
max_client_
ip = 0xbf65bf "",
host = 0xb73ab8 "localhost",
charset_adapter = 0x7f27c3d46710,
acl_user_plugin = {str = 0x7f27a4004de0 "auth_socket", length = 11},
vio_is_encrypted = 0}
The user is then connected to the server as root.
An easy fix is to define authenticated_as in auth_socket.c.
Related branches
- Laurynas Biveinis (community): Approve
-
Diff: 113 lines (+75/-0)6 files modifiedmysql-test/include/have_socket_auth_plugin.inc (+22/-0)
mysql-test/include/plugin.defs (+1/-0)
mysql-test/r/percona_bug1289599.result (+12/-0)
mysql-test/t/percona_bug1289599-master.opt (+1/-0)
mysql-test/t/percona_bug1289599.test (+33/-0)
sql/sql_acl.cc (+6/-0)
- Laurynas Biveinis (community): Approve
-
Diff: 130 lines (+92/-0)6 files modifiedmysql-test/include/have_socket_auth_plugin.inc (+22/-0)
mysql-test/include/plugin.defs (+1/-0)
mysql-test/r/percona_bug1289599.result (+13/-0)
mysql-test/t/percona_bug1289599-master.opt (+1/-0)
mysql-test/t/percona_bug1289599.test (+49/-0)
sql/sql_acl.cc (+6/-0)
description: | updated |
information type: | Private Security → Private |
information type: | Private → Private Security |
information type: | Private Security → Public Security |
When trying to reproduce this bug in Oracle version of mysql the socket_auth function is not called and the user is denied access.
So this bug only affect percona software. This bugs exist in both version 5.5 and 5.6.