A new MySQL and MariaDB Authentication bypass exploit has been found by MariaDB security coordinator Sergei Golubchik. They have already been seeing this particular bypass being used in the wild.
“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256,”
Golubchik says.
The bypass is done by attempting to use a random password with the username “root” and after X amount of attempts gives the attacker complete access to the databases.[pullquote]”~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” wrote Golubchik.[/pullquote]
MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 and are vulnerable, so users should implement the patch (MariaDB, MySQL) immediately.
He also said that among the Metasploit contributors has made a threaded brute-force module that abuses the authentication bypass fault to automatically dump the password database, making it possible to access the database applying the cracked password hashes even if the fault is patched.
