MariaDB社区

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 4499|回复: 3
打印 上一主题 下一主题

[MariaDB] MySQL/MariaDB 安全漏洞

[复制链接]
跳转到指定楼层
1#
发表于 2012-6-12 09:44:22 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 hm3030 于 2012-6-12 09:50 编辑

We have recently found a serious security bug in MariaDB and MySQL.So, here, we'd like to let you know about what the issue and its impactis. At the end you can find a patch, in case you need to patch an olderunsuported MySQL version.

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 arevulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

This issue got assigned an id CVE-2012-2122.

Here's the issue. When a user connects to MariaDB/MySQL, a token (SHAover a password and a random scramble string) is calculated and comparedwith the expected value. Because of incorrect casting, it might'vehappened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this caseMySQL/MariaDB would think that the password is correct, even while it isnot.  Because the protocol uses random strings, the probability ofhitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almostalways exists), she can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, sobasically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.

But practically it's better than it looks - many MySQL/MariaDB buildsare not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends onhow and where it was built. A prerequisite is a memcmp() that can returnan arbitrary integer (outside of -128..127 range). To my knowledge gccbuiltin memcmp is safe, BSD libc memcmp is safe. Linux glibcsse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
As far as I know, official vendor MySQL and MariaDB  binaries are notvulnerable.

Regards,
Sergei Golubchik
MariaDB Security Coordinator

References:

MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212
MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144

MySQL bug report: http://bugs.mysql.com/bug.php?id=64884
MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
MySQL changelog:  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
                              http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html


本文章引用:http://seclists.org/oss-sec/2012/q2/493

可以简单用下面方法测试:
for i in `seq 1 2000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

详细参考: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql  







分享到:  QQ好友和群QQ好友和群 QQ空间QQ空间 腾讯微博腾讯微博 腾讯朋友腾讯朋友
收藏收藏 转播转播 分享分享 分享淘帖 顶1 踩
2#
发表于 2012-6-12 14:16:31 | 只看该作者
适当的来点中文呗...
3#
发表于 2012-6-12 14:43:01 | 只看该作者
进不去吧。5.1和5.5都测试过了。

评分

1

查看全部评分

4#
 楼主| 发表于 2012-6-12 15:17:52 | 只看该作者
这个安全漏洞只有在自己编译的时使用了优化了的GCC才会出现:Linux glibcsse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|小黑屋|手机版|MariaDB社区 ( 京ICP备07012489号    |
业务联系: QQ:48474881; 邮箱: 48474881@qq.com; 电话:13911732319
声明:本站部分文章是网友转载,若未经作者同意或署名有误,请联系网站管理员。

GMT+8, 2024-11-25 09:59 , Processed in 0.119776 second(s), 22 queries .

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表