Exploit Available for Trivial MySQL Password Bypass

Published: 2012-06-11
Last Updated: 2012-06-11 13:22:10 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Thanks to Jack for pointing this one out to us. I somehow missed this vulnerability this weekend.

MySQL fixed last week an authentication bypass vulnerability that is trivially exploitable [1]. The effect is that a user has a 1/256 chance of being granted access to MySQL even if the password is wrong. So in short: Brute forcing passwords will always work pretty quickly even if you got the wrong password.

The vulnerability does however depend on how your instance of MySQL was compiled. Chances are that you are not vulnerable, but just in case, there is a patch available, and it shouldn't be too hard to test. Write a script that attempts the same password many  times, and see if you get logged after a while. 

As an additional hardening measure, you may want to consider limiting access by IP address. 

[1] http://seclists.org/oss-sec/2012/q2/493

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: mysql
5 comment(s)
Diary Archives