Nmap Development mailing list archives
Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 11 Jun 2012 02:30:09 -0600
On 06/11/2012 02:26 AM, Paulino Calderon wrote:
I was looking at the different vuln states in the "vulns" library and forgot to revert the script. Here is the correct version.Hi list,This weekend another critical vulnerability for MySQL and MariaDB servers was posted in seclists.org:http://seclists.org/oss-sec/2012/q2/493I guess this is still a draft since I haven't looked into including MariaDB in this script and there is more information that can be extracted from MySQL with this bug. All feedback is appreciated!description = [[Attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and passwords. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable but depending if memcmp() returns an arbitrary integer outside of -128..127 range."When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent." Original public advisory: * http://seclists.org/oss-sec/2012/q2/493 ]] -- -- @output -- PORT STATE SERVICE REASON -- 3306/tcp open mysql syn-ack -- | mysql-vuln-cve2012-2122: -- | VULNERABLE: -- | Authentication bypass in MySQL servers. -- | State: VULNERABLE -- | IDs: CVE:CVE-2012-2122 -- | Description: -- | When a user connects to MariaDB/MySQL, a token (SHA-- | over a password and a random scramble string) is calculated and compared -- | with the expected value. Because of incorrect casting, it might've -- | happened that the token and the expected value were considered equal,-- | even if the memcmp() returned a non-zero value. In this case-- | MySQL/MariaDB would think that the password is correct, even while it is -- | not. Because the protocol uses random strings, the probability of-- | hitting this bug is about 1/256.-- | Which means, if one knows a user name to connect (and "root" almost -- | always exists), she can connect using *any* password by repeating -- | connection attempts. ~300 attempts takes only a fraction of second, so -- | basically account password protection is as good as nonexistent.-- | Disclosure date: 2012-06-9 -- | Extra information: -- | Server granted access at iteration #204 -- | root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11 -- | debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF -- | phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11 -- | References:-- | https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql-- | http://seclists.org/oss-sec/2012/q2/493 -- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122 -- -- @args mysql-cve2012-2122.user MySQL username. Default: root. -- @args mysql-cve2012-2122.iterations Connection retries. Default: 1000. -- @args mysql-cve2012-2122.socket_timeout Socket timeout. Default: 5000. --- Cheers. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Cheers!
Attachment:
mysql-vuln-cve2012-2122.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Paulino Calderon (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Paulino Calderon (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Paulino Calderon (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Aleksandar Nikolic (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Patrik Karlsson (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Martin Holst Swende (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Ron (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 David Fifield (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Paulino Calderon (Jun 12)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Paulino Calderon (Jun 11)
- Re: NSE: mysql-vuln-cve2012-2122 - Authentication bypass in MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 Paulino Calderon (Jun 11)