| 2014-03-07 21:43:47 |
Vincent Kéravec |
description |
After installing the auth_socket plugin all users might get root access to the web server.
How to replicate the bug:
install mysql with a clean database
Run the following query in the database
install plugin auth_socket soname "auth_socket.so";
update user set plugin='auth_socket' where user='root';
drop user 'root'@'::1';
drop user ''@'::localhost';
drop user ''@'localhost';
drop user ''@'localhost.localdomain';
drop user 'root'@'localhost.localdomain';
flush privileges;
You should now be able to login as root only when your unix username match root.
The problem is that with this setup a normal user without a mysql user can login to the database as root.
When running mysql from a user that should not have access to the database I get the following:
mysql> select user(),current_user();
+----------------+----------------+
| user() | current_user() |
+----------------+----------------+
| vike@localhost | root@127.0.0.1 |
+----------------+----------------+
1 row in set (0.00 sec)
There seems to be a bug with some variable not being initialised properly.
Here is what I got while trying to understand what is happening:
The system first try to login with the correct user and an empty password.
This fail so the system pick a random user (which is the root user in this case) and set the flag make_it_fail.
The system then check the next authentication plugin.
The test for auth plugin succeed since the username sent to MySQL is the same as the user logged on the server.
MySQL then go to give access to the server to this user with the authenticated_as still set by the previous failed login.
Here is a dump of mpvio in this case:
$55 = {<st_plugin_vio> = {
read_packet = 0x6832f0 <server_mpvio_read_packet(MYSQL_PLUGIN_VIO*, uchar**)>,
write_packet = 0x6797d0 <server_mpvio_write_packet(MYSQL_PLUGIN_VIO*, uchar const*, int)>,
info = 0x678250 <server_mpvio_info(MYSQL_PLUGIN_VIO*, MYSQL_PLUGIN_VIO_INFO*)>},
auth_info = {user_name = 0x7f27a4004c40 "vike", user_name_length = 4,
auth_string = 0x7f27a4004d90 "", auth_string_length = 0,
authenticated_as = "root", '\000' <repeats 44 times>,
external_user = '\000' <repeats 511 times>, password_used = 2,
host_or_ip = 0xb73ab8 "localhost", host_or_ip_length = 9},
acl_user = 0x7f27a4004c70, plugin = 0x21fdd60, db = {
str = 0x7f27a4004c30 "", length = 0},
cached_client_reply = {plugin = 0x278f506 "mysql_native_password", pkt = 0x12e9628 "", pkt_len = 0},
cached_server_packet = { pkt = 0x7f27a4004a10 "#(?DyTvvmA<I9~4%[}#4", pkt_len = 21},
packets_read = 1,
packets_written = 1,
make_it_fail = true,
status = MPVIO_EXT::FAILURE,
client_capabilities = 8365701,
scramble = 0x2677184 "#(?DyTvvmA<I9~4%[}#4",
mem_root = 0x26786c0,
rand = 0x2675648,
thread_id = 14,
server_status = 0x2677114,
net = 0x2675270,
max_client_packet_length = 16777216,
ip = 0xbf65bf "",
host = 0xb73ab8 "localhost",
charset_adapter = 0x7f27c3d46710,
acl_user_plugin = {str = 0x7f27a4004de0 "auth_socket", length = 11},
vio_is_encrypted = 0}
The user is then connected to the server as root.
An easy fix is to define authenticated_as in auth_socket.c. |
After installing the auth_socket plugin all local users might get root access to the mysql server.
How to replicate the bug:
install mysql with a clean database
Run the following query in the database
install plugin auth_socket soname "auth_socket.so";
update user set plugin='auth_socket' where user='root';
drop user 'root'@'::1';
drop user ''@'::localhost';
drop user ''@'localhost';
drop user ''@'localhost.localdomain';
drop user 'root'@'localhost.localdomain';
flush privileges;
You should now be able to login as root only when your unix username match root.
The problem is that with this setup a normal user without a mysql user can login to the database as root.
When running mysql from a user that should not have access to the database I get the following:
mysql> select user(),current_user();
+----------------+----------------+
| user() | current_user() |
+----------------+----------------+
| vike@localhost | root@127.0.0.1 |
+----------------+----------------+
1 row in set (0.00 sec)
There seems to be a bug with some variable not being initialised properly.
Here is what I got while trying to understand what is happening:
The system first try to login with the correct user and an empty password.
This fail so the system pick a random user (which is the root user in this case) and set the flag make_it_fail.
The system then check the next authentication plugin.
The test for auth plugin succeed since the username sent to MySQL is the same as the user logged on the server.
MySQL then go to give access to the server to this user with the authenticated_as still set by the previous failed login.
Here is a dump of mpvio in this case:
$55 = {<st_plugin_vio> = {
read_packet = 0x6832f0 <server_mpvio_read_packet(MYSQL_PLUGIN_VIO*, uchar**)>,
write_packet = 0x6797d0 <server_mpvio_write_packet(MYSQL_PLUGIN_VIO*, uchar const*, int)>,
info = 0x678250 <server_mpvio_info(MYSQL_PLUGIN_VIO*, MYSQL_PLUGIN_VIO_INFO*)>},
auth_info = {user_name = 0x7f27a4004c40 "vike", user_name_length = 4,
auth_string = 0x7f27a4004d90 "", auth_string_length = 0,
authenticated_as = "root", '\000' <repeats 44 times>,
external_user = '\000' <repeats 511 times>, password_used = 2,
host_or_ip = 0xb73ab8 "localhost", host_or_ip_length = 9},
acl_user = 0x7f27a4004c70, plugin = 0x21fdd60, db = {
str = 0x7f27a4004c30 "", length = 0},
cached_client_reply = {plugin = 0x278f506 "mysql_native_password", pkt = 0x12e9628 "", pkt_len = 0},
cached_server_packet = { pkt = 0x7f27a4004a10 "#(?DyTvvmA<I9~4%[}#4", pkt_len = 21},
packets_read = 1,
packets_written = 1,
make_it_fail = true,
status = MPVIO_EXT::FAILURE,
client_capabilities = 8365701,
scramble = 0x2677184 "#(?DyTvvmA<I9~4%[}#4",
mem_root = 0x26786c0,
rand = 0x2675648,
thread_id = 14,
server_status = 0x2677114,
net = 0x2675270,
max_client_packet_length = 16777216,
ip = 0xbf65bf "",
host = 0xb73ab8 "localhost",
charset_adapter = 0x7f27c3d46710,
acl_user_plugin = {str = 0x7f27a4004de0 "auth_socket", length = 11},
vio_is_encrypted = 0}
The user is then connected to the server as root.
An easy fix is to define authenticated_as in auth_socket.c. |
|
