sql/password.c 中存在安全缺陷,导致概率性任意密码登 MySQL/MariaDB。
CVE-2012-2122: Security vulnerability in MySQL/MariaDB sql/password.c(概率性任意密码登mysql)
Security vulnerability in MySQL/MariaDB
sql/password.c
From: Sergei
Golubchik <serg () montyprogram com>
Date: Sat, 9 Jun 2012
17:30:38 +0200
Hi
We have recently found a serious security bug in MariaDB and MySQL.
So, here, we'd like to let you know about what the issue and its impact is. At the end you can find a patch, in case you need to patch an older unsuported MySQL version.
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
This issue got assigned an id CVE-2012-2122.
Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library. But practically it's better than it looks - many MySQL/MariaDB builds are not affected by this bug.
Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built. A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
As far as I know, official vendor MySQL and MariaDB binaries are not vulnerable.
Regards,
Sergei Golubchik
MariaDB Security Coordinator
References:
MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212
MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144
MySQL bug report: http://bugs.mysql.com/bug.php?id=64884
MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
MySQL changelog:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
另还有国内分析:
http://weibo.com/1414664021/ynmCN9Uoy
http://weibo.com/1414664021/ynmLF4mOR
虽然看上去利用概率似乎极低,不过喜欢自己搞编译的人是否感觉到已经一身弹孔 -_-||