MySQL Authentication Bypass Vulnerability

(In reply to comment #0)

> MySQL 4.0.24 supplied with Ubuntu is prone to this vulnerability, as well as the
> latest 4.1.14 downloadable from www.mysql.com

I checked the 4.0.x sources, and it does not even contain the
check_scramble_323() function where the actual flaw is in. Also, all advisories
mention that 4.1 onward is vulnerable, not 4.0. Upstream fixed it in 5.0 and
4.1, but there is no patch for 4.0.

So where did you learn that 4.0 is vulnerable? Did you run the exploit?

Created an attachment (id=4082)
mysql exploit

The script connects to MySQL and attempts to log in using a zero-length
password
Based on the vuln found by NGSSecurity

I launched the attached exploit both against 4.0.24 and 4.1.14 and in both cases
I was able to gain access to db.

maddler@cariatide:~$ perl ./mysql-auth-bypass.pl antani localhost
Using default MySQL port (3306)
Received greeting:
00000000 54 00 00 00 FF 6A 04 23 48 59 30 30 30 48 6F 73
00000010 74 20 27 6C 6F 63 61 6C 68 6F 73 74 2E 6C 6F 63
00000020 61 6C 64 6F 6D 61 69 6E 27 20 69 73 20 6E 6F 74
00000030 20 61 6C 6C 6F 77 65 64 20 74 6F 20 63 6F 6E 6E
00000040 65 63 74 20 74 6F 20 74 68 69 73 20 4D 79 53 51
00000050 4C 20 73 65 72 76 65 72

Sending caps packet:
00000000 3C 00 00 01 85 A6 03 00 00 00 00 01 08 00 00 00
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020 00 00 00 00 61 6E 74 61 6E 69 00 14 00 00 00 00
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040

Received reply:
00000000
Received OK reply, authentication successful!!

Thanks for checking; I looked into this issue, will fix it as soon as I find
that patch in the chaotic mysql BK.

*** Bug 22722 has been marked as a duplicate of this bug. ***

For the record, updated packages are prepared, but the exploit still claims to
be successful, even against the latest 4.1 package where this was fixed long
ago. It seems the exploit is broken, but to be sure I'm currently discussing
this with the Debian maintainer and security team.

(In reply to comment #3)
> I launched the attached exploit both against 4.0.24 and 4.1.14 and in both cases
> I was able to gain access to db.
...
> Received reply:
> 00000000
> Received OK reply, authentication successful!!

As Sean Finney from Debian noted in
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330164
you did apparently not gain access to the db but just received
an empty receive buffer with an exitcode of 0 because the server
terminated the connection.

As we now are unsure if this bug has to be fixed in 3.23 and 4.0 I would like to
know if
you really could get access to the server?

thanks,

-christian- (Debian maintainer of MySQL)

Apparently the exploit is utterly flawed and the investigations have shown that
the vulnerability most probably does not exist. This needs further
investigations with upstream.

Nobody was actually able to get unauthorized access, so I close this now.