Industry News

MySQL, MariaDB Flaw Allows Root Access with Wrong Passwords

A critical vulnerability in the MySQL and MariaDB database servers allows attackers to gain root access with wrong passwords – if they are persistent enough. This flaw affects one of the most popular database systems in the world and can result in significant data loss when successfully exploited. To add insult to injury, the exploitation technique is a no-brainer, as all the attacker has to do is keep trying passwords.

The responsibility for this major failure seems to reside in the fact that the server expects the memcmp() function to return a value between -127 and 127. However, some server setups often return a value outside the boundary, which confuses the routines that compare the entered password with its hashed value.  This, in turn, validates the wrong password against the stored hash. Shortly put, there is a 1 in 256 chance that any password would be accepted as valid.

“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value,” wrote Sergei Golubchik in a post on the OS-Sec mailing list. “Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case, MySQL/MariaDB would think that the password is correct, even while it is not.  Because the protocol uses random strings, the probability of hitting this bug is about 1/256.”

MySQL database servers are used in nearly all areas, ranging from personal and commercial to the military.  Fortunately though, some Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. This means that an attacker won’t be able to access the server without access to the machine.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

1 Comment

Click here to post a comment
  • Long Description:
    All validations define in the application forms are performed. Completely transparent to the application. Copy paste the data from Excel or any spreadsheet Oracle Apps 11, Oracle Apps 11i & Oracle Apps 12i

    Loads data through Macros or Forms Record and Playback Mode

    Import data from Comma Separated Values Files (CSV), TAB Delimited Files or any other char delimited files 7. Prepare load once and replicate the load as many times as you want. Accurate. Saves lots of time. Useful for developers who have to feed data into forms repeatedly while testing applications. Can be used by non-technical end users as data is loaded in forms requires no special technical knowledge. Useful,
    for loading legacy data into applications where data cannot be loaded directly into tables easily. Loads data directly into front end forms thus no direct connection to the database is required. Application behaves as data is entered by a user. Compatible with Oracle Applications 10.

    No applications topic was of more interest to conference attendees than Oracle E-Business Suite R12 upgrades at the 2011 Oracle Open World conference. Before embarking on an Oracle R12 upgrade the following preparation tips were highlighted as being of utmost importance to a successful outcome; Many real world upgrade case studies were showcased at the conference, with several key points highlighted for companies focused on a successful upgrade project. It is becoming easier for CIO’s to justify the investment and learn from those that have gone before the case for upgrading to R12 is gaining momentum, and now with many examples of successful upgrades having taken place, with the coming end of the extended 11i support period. Oracle speakers reinforced the message that was being conveyed by companies who have upgraded recently.

    Allocate Enough Time and Resources

    Oracle recommends working closely with an Oracle Systems Integrator to help you get a grasp on the full scope of your project. 1 upgrade is much bigger than the 11i Maintenance Pack upgrades, and there have been some dramatic changes to the product – most notably the changes in Financials functionality and data model, and the implementation options have also become more flexible. – The number of Oracle modules you’ve currently got implemented

    – Scope and complexity of your customizations

    – The Number and extent of your existing integrations

    – The amount of effort you would typically invest in testing major release level changes

    – Any other systems changes that are being combined as part of this upgrade project the required time and resource will vary depending upon your organizations unique circumstances – for example. Oracle recommends working closely with an Oracle Systems Integrator to help you get a grasp on the full scope of your project.