December 22, 2014

Rapid 7 releases MySQL authentication bypass vulnerability scanning tool

(LiveHacking.Com) – Rapid 7, the people behind Metasploit, have released a free scanning tool which can probe all the MySQL servers on a network and see if any of them are vulnerable to the MySQL  authentication bypass vulnerability (CVE-2012-2122). The vulnerability, which was found in June, allows remote attackers to bypass the MySQL authentication by repeatedly authenticating with the same incorrect password.

The problem is that when a user connects to MySQL (or MariaDB), a hash of the password is used and compared with the sent password. But, because of a casting bug and because of the  way memcmp() is implemented in some libraries, sometimes the token and the expected password are considered equal even when they are not.The probability of hitting this bug and authenticating without the right password is about 1 in 256.

The new tool, ScanNow, will tell you if you have this MySQL vulnerability on your systems. It can scan a range of IP addresses and ports and create a report which can be saved for later reference.

Although free and scans for unlimited IPs, the tool ONLY checks for the MySQL CVE-2012-2122 vulnerability, it does not check for any other weaknesses.

MySQL allows root access for every 1 in 256 login attempts without a password

(LiveHacking.Com) – A serious security vulnerability has been found in MySQL and MariaDB that allows a remote attacker to gain root access to a database if they attempted to login (with the wrong password) around 256 times. The vulnerability, which was disclosed by Sergei Golubchik – the MariaDB Security Coordinator, occurs because some versions of memcmp() can return an arbitrary integer (outside of the normal -128 to 127 range).

The problem is that when a user connects to MySQL or MariaDB, a hash of the password is used and compared with the sent password. But, because of a casting bug, sometimes the token and the expected password are considered equal even when they are not. This can happen if memcmp() returns a non-zero value. Because the authentication protocol uses random strings, the probability of hitting this bug is about 1 in 256.

HD Moore, creator of Metasploit, has provided a simple one line bash script which will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Of course to run the script you need to have shell access to the machine in question. All MySQL and MariaDB versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not affected. Neither are MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23.

Some good news

This is of course a massive security hole and Moore reckons that about 50 percent of Internet servers are vulnerable to the attack. However for systems which don’t open the MySQL port to the Internet then attackers won’t be able to access the MySQL database at all. Also many versions of Linux aren’t vulnerable due to the version of memcmp() they use. Since memcmp is part of the standard C library there are a variety of implementations. The gcc builtin version of memcmp() is safe, memcmp() in BSD’s libc is also safe. However Linux distributions that use glibc with sse-optimizations is not safe.

This means that the following version of Linux are vulnerable:

  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
  • OpenSuSE 12.1 64-bit MySQL 5.5.23-log
  • Debian Unstable 64-bit 5.5.23-2
  • Fedora
  • Arch Linux

It is worth noting that official builds of MySQL and MariaDB (including the Windows versions) are not vulnerable and that Red Hat Enterprise Linux 4, 5, and 6 and CentOS are also unaffected. Also the 32-bit versions of Ubuntu are not affected.

Oracle Fixes 78 Vulnerabilities But Questions Arise About Fundamental Flaws in its Flagship Database Product

(LiveHacking.Com) – Oracle has released 78 security fixes, for its flagship database software, Fusion Middleware, e-Business Suite, Supply Chain, PeopleSoft, JDEdwards and Sun products, as part of January’s Critical Patch Update (CPU). Included were two fixes for the Oracle Database Server, seventeen for Oracle Sun products, three for Oracle Virtualization and a massive 27 in Oracle MySQL. Only 16 of the 78 fixes are considered critical, or could be remotely exploited without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.” said Oracle in the advisory.

The highest scored vulnerabilities, under the Common Vulnerability Scoring Standard (CVSS), are found in the Solaris operating system. The first is a denial of service bug and the second a Kerberos issue.

Oracle also patched MySQL Server 27 times, including one vulnerability in the MySQL protocol that allows a remote attacker to significantly affect the availability of the database. Another, higher-rated vulnerability, while not remotely exploitable without authentication, could both affect availability and potentially expose the confidentiality of data in the database. Some pundits are accusing Oracle of “throwing in the towel” on patching its flagship database as it received only two patches compared to MySQL’s 27.

However, now that the CPU has been issued, InfoWorld has published a story about “a flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems.” When they contacted Oracle about the flaw they were asked, in the interest of security, to withhold the story until Oracle had time to develop and test patches that addressed the flaw.

 

Oracle to Patch 78 Security Vulnerabilities Across Hundreds of its Products

(LiveHacking.Com) – Oracle has published a critical patch update pre-release announcement where it outlines its intention to patch 78 security vulnerabilities across hundreds of its products. Scheduled for Tuesday, January 17, 2012, the jumbo set of patches affect products such as Oracle Database (10g and 11g), VirtualBox and MySQL.

For Oracle Database  there are two security fixes one of which may be remotely exploitable without authentication. This Critical Patch Update also contains three new security fixes for Oracle VM VirtualBox and Oracle Virtual Desktop Infrastructure (VDI), however none of these vulnerabilities may be remotely exploitable without authentication. The MySQL patch set is larger with 27 vulnerabilities scheduled to be patched. One of these vulnerabilities may be remotely exploitable without authentication.

Affected Products and Components

Security vulnerabilities addressed by Oracle’s Critical Patch Update affect the following products:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
  • Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle PeopleSoft Enterprise CRM, version 8.9
  • Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, version 8.52
  • Oracle JDEdwards, version 8.98
  • Oracle Sun Product Suite
  • Oracle Sun Ray, version 5.3
  • Oracle VM VirtualBox, version 4.1
  • Oracle Virtual Desktop Infrastructure, version 3.2
  • Oracle MySQL Server, versions 5.0, 5.1, 5.5, 5.6

phpMyAdmin Vulnerability and Brute Force SSH Attacks

phpMyAdmin Vulnerability and Brute Force SSH Attacks

There are one or multiple large botnets that are actively exploiting a vulnerability in phpMyAdmin. This exploit in older versions (below 3.2.4) of the package allows remote code execution on the server.

According to malwarecity, these botnets have been using this exploit to upload a bot named “dd_ssh” which can be executed at root level. This bot then conducts brute force SSH attacks on random IP addresses specified by the bot herder.

Many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin. Upon execution the attacker drops the malicious files in /tmp/vm.c and /tmp/dd_ssh, and then start the dd_ssh service.

Read more here at malwarecity.com.

Source: [Malwarecity]