Security vulnerability in MySQL/MariaDB sql/password.c
来源:互联网 发布:建立数据库的表结构 编辑:程序博客网 时间:2024/06/07 02:22
转载地址:http://seclists.org/oss-sec/2012/q2/493
Security vulnerability in MySQL/MariaDB sql/password.c
From: Sergei Golubchik <serg () montyprogram com>
Date: Sat, 9 Jun 2012 17:30:38 +0200
HiWe have recently found a serious security bug in MariaDB and MySQL.So, here, we'd like to let you know about what the issue and its impactis. At the end you can find a patch, in case you need to patch an olderunsuported MySQL version.All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 arevulnerable.MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.This issue got assigned an id CVE-2012-2122.Here's the issue. When a user connects to MariaDB/MySQL, a token (SHAover a password and a random scramble string) is calculated and comparedwith the expected value. Because of incorrect casting, it might'vehappened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this caseMySQL/MariaDB would think that the password is correct, even while it isnot. Because the protocol uses random strings, the probability ofhitting this bug is about 1/256.Which means, if one knows a user name to connect (and "root" almostalways exists), she can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, sobasically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.But practically it's better than it looks - many MySQL/MariaDB buildsare not affected by this bug.Whether a particular build of MySQL or MariaDB is vulnerable, depends onhow and where it was built. A prerequisite is a memcmp() that can returnan arbitrary integer (outside of -128..127 range). To my knowledge gccbuiltin memcmp is safe, BSD libc memcmp is safe. Linux glibcsse-optimized memcmp is not safe, but gcc usually uses the inlinedbuiltin version.As far as I know, official vendor MySQL and MariaDB binaries are notvulnerable.Regards,Sergei GolubchikMariaDB Security CoordinatorReferences:MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144MySQL bug report: http://bugs.mysql.com/bug.php?id=64884MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17MySQL changelog: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
- Security vulnerability in MySQL/MariaDB sql/password.c
- Simple Machines Forum Change Administrator Password Security Bypass Vulnerability
- Security in MySQL
- MySQL/MariaDB SQL操作笔记
- CORE SECURITY TECHNOLOGIES DISCOVERS CRITICAL VULNERABILITY IN VMWARE´S DESKTOP VIRTUALIZATION
- Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
- MySQL&&MariaDB打开sql日志功能
- Recover lost root password in mysql
- MySQL: Change root password in Mac
- FoosunCMS Sql Injection Vulnerability
- Mysql charset Truncation vulnerability
- Mysql charset Truncation vulnerability
- get password in terminal by C
- PHP cURL 'safe mode' Security Bypass Vulnerability
- Struts 2 Security Vulnerability - Dynamic Method Invocation
- Managing Password Security & Resources
- firefox password security
- PostgreSQL password security
- HTML页面元素加载顺序研究报告
- WHY CQRS and EVENT SOURCING
- iphone ios 如何创建缩率图
- 程序员进阶之道—稳中求进
- android4.0.3下编译framework/base/policy
- Security vulnerability in MySQL/MariaDB sql/password.c
- 希尔排序问题
- js注入测试器
- centos 安装g++
- 黑马程序员_java基础知识学习总结一
- Console命令详解,让调试js代码变得更简单
- Objective-C中的@property和@synthesize用法
- java回调函数
- UIImageView和UIImage,CGContextRef 的一些知识点
