|
오늘 linuxtoday.com에서 다음과 같은 메일링 리스트가 올라왔습니다.
There exists a vulnerability in the password checking routines
in the latest versions of the MySQL server, that allows any user
on a host that is allowed to connect to the server, to skip
password authentication, and access databases. For the exploit
to work, a valid username for the mysql server is needed, and
this username must have access to the database server, when
connecting from the attacking host.
위의 기능은 원래 되는 것으로 알고 있었는데 이것이 보안 버그라네요. 무식하면 죽어야지... ^^;
어쨋든 질문 드리고 싶은 것은 MySQL을 제가 잘 사용하질 못하기
때문에 위의 내용이 어떤지 그 진위여부를 모르겠습니다.
설명을 좀 부탁드리구요... 이것에 대해 www.mysql.com 에 찾아가
보았으나 아무런 언급도 없더군요.
과연 심각한 버그인지, 아니면 현상태에서 어떻게 대처할 수 있는지
알려 주셨으면 합니다. MySQL로 지금 간단하게나마 홈페이지와 함께
사용하고 있어서요.
아래에 메일링 보고의 전문을 올립니다.
----------------------------------------
Security Advisory: Remote access vulnerability in all MySQL server versions
Feb 9, 2000, 06:40 UTC (0 Talkbacks) (Other stories by Robert van der Meulen)
Date: Tue, 8 Feb 2000 20:03:32 +0100
From: Robert van der Meulen rvdm@CISTRON.NL
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Remote access vulnerability in all MySQL server versions
Hi,
Below you find a security advisory i wrote concerning a vulnerability found in all (known to me) mysql server versions, including the latest one. As mysql is a widely used sql platform, i strongly advise everyone using it to read it, and fix where appropriate. This email has been bcc'd to the mysql bug list, and other appropriate parties.
Greets, Robert van der Meulen/Emphyrio
.Introduction.
There exists a vulnerability in the password checking routines in the latest versions of the MySQL server, that allows any user on a host that is allowed to connect to the server, to skip password authentication, and access databases. For the exploit to work, a valid username for the mysql server is needed, and this username must have access to the database server, when connecting from the attacking host.
.Vulnerable Systems.
All systems running 3.22.26a and up (tested). Probably all systems running lower versions as well (not tested, not reviewed). All versions are vulnerable on all platforms.
.A snippet of code from the mysql code, explaining password authentication **
>From mysql-3.22.26a/sql/password.c:
/* password checking routines */
/*****************************************************************************
The main idea is that no password are sent between client & server on
connection and that no password are saved in mysql in a decodable form.
On connection a random string is generated and sent to the client.
The client generates a new string with a random generator inited with
the hash values from the password and the sent string.
This 'check' string is sent to the server where it is compared with
a string generated from the stored hash_value of the password and the
random string.
*****************************************************************************/
.More code, and vulnerability explanation.
The problem is, that in the comparison between the 'check' string, and the string generated from the hash_value of the password and the random string, the following code is used (from mysql-3.22.26a/sql/password.c):
while (*scrambled)
{
if (*scrambled++ != (char) (*to++ ^ extra))
return 1; /* Wrong password */
}
'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the hash_value.
Suppose a client would send a _single_ character to the server as the 'check' string. Of course the server should notice the check string is not the same length as the check string needed, and give a password error. Because no such checks are done, when a check string of length 1 is passed to the server, only one character is compared. So the only thing that remains to know if we want to peek in someone's MySQL database, is a technique to find out the first character of the server-side check string.
The string that's used for the comparison is generated using some random data, so two following authenticate-actions will probably use different check-strings. After looking at the algorithm, generating the check string, it becomes clear that there are actually only 32 possibilities for each character.
In practice, this means that if you connect, sending one single character as the check string, you will be in in about 32 tries maximum.
.Impact.
Hosts in the access list (by default any host, on a lot of distributions and servers) can connect to the MySQL server, without a password, and access (often sensitive) data _as long as the attacker has a valid username for the database server_. This vulnerability also incorporates a MySQL DoS attack, as the attacker can shutdown database servers and delete data, if she logs in with the MySQL management account.
.Exploit information.
I have an exploit available, but to defer script kiddies i will not release it (yet). Do not ask me for it.
If above explanation is understood, an exploit should be easy enough...
.Fix information.
Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a length check, _before_ starting the compare. This should be as easy as inserting the following just above the while (*scrambled) loop:
if (strlen(scrambled)!=strlen(to)) {
return 1;
}
WARNING: This is NOT an official fix. You can use this as a temporary solution to the problem. Please check the official mysql site (www.mysql.org) for a fix.
.Commentary.
I think this exploit should not be a very scary thing to people that know how to secure their servers. In practice, there's almost never a need to allow the whole world to connect to your SQL server, so that part of the deal should be taken care of.
As long as your MySQL ACL is secure, this problem doesn't really occur (unless your database server doubles as a shell server).
We have also located several other security bugs in mysql server/client. These bugs can only be exploited by users who have a valid username and password. We will send these to the mysql maintainers, and hope they'll come with a fix soon.
Yours,
Robert van der Meulen/Emphyrio (rvdm@cistron.nl)
Willem Pinckaers (dvorak@synnergy.net
------------------------------------------
|
