MySQL Authentication Algorithm Vulnerability
BID:1826
Info
MySQL Authentication Algorithm Vulnerability
| Bugtraq ID: | 1826 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 23 2000 12:00AM |
| Updated: | Oct 23 2000 12:00AM |
| Credit: | Discovered by and published by Core SDI in advisory CORE-20001023 on Oct 23, 2000. |
| Vulnerable: |
MySQL AB MySQL 3.23 .x MySQL AB MySQL 3.22 .x MySQL AB MySQL 3.21 .x MySQL AB MySQL 3.20 .x |
| Not Vulnerable: | |
Discussion
MySQL Authentication Algorithm Vulnerability
MySQL is a popular open-source relational database package used primarily on unix systems (often to power websites). The MySQL engine runs as a server to which clients connect via TCP or unix domain sockets.
When clients connect they must authenticate before any queries will be handled. MySQL stores no user passwords in their original form -- only password hashes hashed via the internal PASSWORD() function are stored in the server and clients. It is these hashes that are used to authenticate client connections to the server. To prevent transmission of the password hash in cleartext form over network connections, the designers of MySQL implemented a challenge-response system.
The authentication process is as follows:
When a client initiates a connection to a MySQL server, a psuedo-random string is generated by the server and sent to the client. The client then generates a "check string", using the stored password hash and the string recieved from the server. Following that, the client sends it to the server where it is determined whether it was created using a valid password hash or not. If it is determined that a valid password hash was used, the client is authenticated.
Unfortunately the MySQL implementation is flawed. There are arithmetic properties in the check-strings which are consistent throughout multiple authentications. Thus if multiple client authentications are observed by an attacker over a network connection, the password hash can be deduced. With a password hash, an attacker's rogue client can connect and authenticate successfully with a MySQL server. This can lead to a compromise of data/data integrity in the database depending on the access of the account compromised. A detailed technical description of the actual algorithmic vulnerability is available in Core SDI's advisory linked to in the reference section of this vuldb entry.
MySQL is a popular open-source relational database package used primarily on unix systems (often to power websites). The MySQL engine runs as a server to which clients connect via TCP or unix domain sockets.
When clients connect they must authenticate before any queries will be handled. MySQL stores no user passwords in their original form -- only password hashes hashed via the internal PASSWORD() function are stored in the server and clients. It is these hashes that are used to authenticate client connections to the server. To prevent transmission of the password hash in cleartext form over network connections, the designers of MySQL implemented a challenge-response system.
The authentication process is as follows:
When a client initiates a connection to a MySQL server, a psuedo-random string is generated by the server and sent to the client. The client then generates a "check string", using the stored password hash and the string recieved from the server. Following that, the client sends it to the server where it is determined whether it was created using a valid password hash or not. If it is determined that a valid password hash was used, the client is authenticated.
Unfortunately the MySQL implementation is flawed. There are arithmetic properties in the check-strings which are consistent throughout multiple authentications. Thus if multiple client authentications are observed by an attacker over a network connection, the password hash can be deduced. With a password hash, an attacker's rogue client can connect and authenticate successfully with a MySQL server. This can lead to a compromise of data/data integrity in the database depending on the access of the account compromised. A detailed technical description of the actual algorithmic vulnerability is available in Core SDI's advisory linked to in the reference section of this vuldb entry.
Exploit / POC
MySQL Authentication Algorithm Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
MySQL Authentication Algorithm Vulnerability
Solution:
T.C.X DataKonsult is aware of this vulnerability and there is no information available about a fix at this time. It is recommended that users use other means (eg, ssh) to create secure channels for the MySQL connections.
More information on MySQL and security is available at the link provided in the reference section of this vuldb entry.
Solution:
T.C.X DataKonsult is aware of this vulnerability and there is no information available about a fix at this time. It is recommended that users use other means (eg, ssh) to create secure channels for the MySQL connections.
More information on MySQL and security is available at the link provided in the reference section of this vuldb entry.
References
MySQL Authentication Algorithm Vulnerability
References:
References:
- How To Make MySQL Secure Against Crackers (T.C.X DataKonsult)
- MySQL Homepage (T.C.X DataKonsult)