MySQL Unauthenticated Remote Access Vulnerability

A vulnerability exists in the password verification scheme utilized by MySQL. This vulnerability will allow any user on a machine that has been granted access to connect to the database to connect as any user to that database. Instead of having to know an account name and password, the attacker need only know a legitimate account name. Versions from 3.22.26a and above are all vulnerable. Prior versions may too be vulnerable; this has not been confirmed.

The flaw lies in the fact that the server uses a string returned by the client to iterate through a comparison, without verifying the string it is using is of sufficient length.
while (*scrambled)
{
if (*scrambled++ != (char) (*to++ ^ extra))
return 1; /* Wrong password */
}

scrambled is a string returned by the client. If a user returns a single character as the value for the scrambled variable, only one byte will be compared to the expected password. So long as this one character matches, MySQL will authenticate the user, and allow them to access the database. According to details provided by the poster of this vulnerability, this will take at most 32 tries.


 

Privacy Statement
Copyright 2010, SecurityFocus