Thursday, January 27, 2022

Simple MySQL Exploit allows hackers to connect with ease

Mysql logo for mysql exploit metasploit

A new MySQL and MariaDB Authentication bypass exploit has been found by MariaDB security coordinator Sergei Golubchik.  They have already been seeing this particular bypass being used in the wild.

“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256,”

 Golubchik says.
The bypass is done by attempting to use a random password with the username “root” and after X amount of attempts gives the attacker complete access to the databases.[pullquote]”~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” wrote Golubchik.[/pullquote]

MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 and are vulnerable, so users should implement the patch (MariaDBMySQL) immediately.

He also said  that among the Metasploit contributors has made a threaded brute-force module that abuses the authentication bypass fault to automatically dump the password database, making it possible to access the database applying the cracked password hashes even if the fault is patched.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …