- 积分
- 313
- UID
- 7988
- 阅读权限
- 150
- 注册时间
- 2010-9-8
- 精华
- 在线时间
- 小时
- 最后登录
- 1970-1-1
- 职业
- 1
|
|
本帖最后由 hm3030 于 2012-6-12 09:50 编辑
We have recently found a serious security bug in MariaDB and MySQL.So, here, we'd like to let you know about what the issue and its impactis. At the end you can find a patch, in case you need to patch an olderunsuported MySQL version.
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 arevulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
This issue got assigned an id CVE-2012-2122.
Here's the issue. When a user connects to MariaDB/MySQL, a token (SHAover a password and a random scramble string) is calculated and comparedwith the expected value. Because of incorrect casting, it might'vehappened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this caseMySQL/MariaDB would think that the password is correct, even while it isnot. Because the protocol uses random strings, the probability ofhitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almostalways exists), she can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, sobasically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.
But practically it's better than it looks - many MySQL/MariaDB buildsare not affected by this bug.
Whether a particular build of MySQL or MariaDB is vulnerable, depends onhow and where it was built. A prerequisite is a memcmp() that can returnan arbitrary integer (outside of -128..127 range). To my knowledge gccbuiltin memcmp is safe, BSD libc memcmp is safe. Linux glibcsse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
As far as I know, official vendor MySQL and MariaDB binaries are notvulnerable.
Regards,
Sergei Golubchik
MariaDB Security Coordinator
References:
MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212
MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144
MySQL bug report: http://bugs.mysql.com/bug.php?id=64884
MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
MySQL changelog: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
本文章引用:http://seclists.org/oss-sec/2012/q2/493
可以简单用下面方法测试:
for i in `seq 1 2000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
详细参考: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
|
|
|申请友链|小黑屋|Archiver|手机版|MySQL社区
( 京ICP备07012489号 ) 
IP卡
狗仔卡
发表于 2012-6-12 09:44:22
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
微信
收藏
淘帖
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
发表于 2012-6-12 14:16:31
发表于 2012-6-12 14:43:01
楼主