Security vulnerability in MySQL/MariaDB sql/password.c

最新推荐文章于 2025-11-24 15:00:59 发布

转载最新推荐文章于 2025-11-24 15:00:59 发布 · 1.2k 阅读

文章标签：

#security #mysql #casting #random #report #patch

Security 同时被 2 个专栏收录

39 篇文章

订阅专栏

DBMS

23 篇文章

订阅专栏

在 MySQL 和 MariaDB 的早期版本中发现了一个严重安全漏洞，该漏洞可能导致密码验证失败，允许攻击者使用任意密码登录。此问题出现在 sql/password.c 文件中，涉及 SHA 哈希和随机字符串比对的不正确处理。官方已发布补丁。

转载地址:http://seclists.org/oss-sec/2012/q2/493

Security vulnerability in MySQL/MariaDB sql/password.c

From: Sergei Golubchik <serg () montyprogram com>
Date: Sat, 9 Jun 2012 17:30:38 +0200

Hi

We have recently found a serious security bug in MariaDB and MySQL.
So, here, we'd like to let you know about what the issue and its impact
is. At the end you can find a patch, in case you need to patch an older
unsuported MySQL version.

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

This issue got assigned an id CVE-2012-2122.

Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not.  Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent. 
Any client will do, there's no need for a special libmysqlclient library.

But practically it's better than it looks - many MySQL/MariaDB builds
are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

As far as I know, official vendor MySQL and MariaDB binaries are not
vulnerable.

Regards,
Sergei Golubchik
MariaDB Security Coordinator

References:

MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212
MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144

MySQL bug report: http://bugs.mysql.com/bug.php?id=64884
MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
MySQL changelog:
  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
  http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html