Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Exploit Available for Trivial MySQL Password Bypass - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exploit Available for Trivial MySQL Password Bypass

Thanks to Jack for pointing this one out to us. I somehow missed this vulnerability this weekend.

MySQL fixed last week an authentication bypass vulnerability that is trivially exploitable [1]. The effect is that a user has a 1/256 chance of being granted access to MySQL even if the password is wrong. So in short: Brute forcing passwords will always work pretty quickly even if you got the wrong password.

The vulnerability does however depend on how your instance of MySQL was compiled. Chances are that you are not vulnerable, but just in case, there is a patch available, and it shouldn't be too hard to test. Write a script that attempts the same password many  times, and see if you get logged after a while. 

As an additional hardening measure, you may want to consider limiting access by IP address. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022


4514 Posts
ISC Handler
Jun 11th 2012
Exploit code is
while true; do mysql -uroot -pasdf mysql; done
using a valid user

but it did not work on my debian 6 64bit systems, none of them.
yup. Usually I don't like to link to exploit code, or have exploit code in comments like yours. But in this case, "hiding exploit code" would be silly ;-)


4514 Posts
ISC Handler
This page describes the problem / exploit pretty well, but basically a LOT of systems should be vulneable to this, and this gives MYSQL admin access - I'd expect to see widespread scanning.


45 Posts

You are not wrong, my IDS is already picking up a larger number of MySQL scans than usual...

It begins.

12 Posts

From vulnerability quote:

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

Doesnt work, on any of the 6 mysqls servers I administer. (Debian, Ubuntu server, CentOS)
2 Posts

Sign Up for Free or Log In to start participating in the conversation!