MySQL/MariaDB sql/password.c安全漏洞

2012年6月11日 | 分类: 日志 | 标签:

来源:http://seclists.org/oss-sec/2012/q2/493
受影响版本:All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable.
不受影响版本MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23 ,MySQL 5.1.63, 5.5.24, 5.6.6 .

漏洞说明:在已知用户名的情况下使用任意密码尝试登录有1/256的概率成功登入。
漏洞分析:
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/view/3560.10.17/include/my_global.h :

typedef char		my_bool; /* Small bool */

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/view/3560.10.17/sql/password.c :

my_bool
check_scramble(const char *scramble_arg, const char *message,
               const uint8 *hash_stage2)
{
  SHA1_CONTEXT sha1_context;
  uint8 buf[SHA1_HASH_SIZE];
  uint8 hash_stage2_reassured[SHA1_HASH_SIZE];

  mysql_sha1_reset(&sha1_context);
  /* create key to encrypt scramble */
  mysql_sha1_input(&sha1_context, (const uint8 *) message, SCRAMBLE_LENGTH);
  mysql_sha1_input(&sha1_context, hash_stage2, SHA1_HASH_SIZE);
  mysql_sha1_result(&sha1_context, buf);
  /* encrypt scramble */
    my_crypt((char *) buf, buf, (const uchar *) scramble_arg, SCRAMBLE_LENGTH);
  /* now buf supposedly contains hash_stage1: so we can get hash_stage2 */
  mysql_sha1_reset(&sha1_context);
  mysql_sha1_input(&sha1_context, buf, SHA1_HASH_SIZE);
  mysql_sha1_result(&sha1_context, hash_stage2_reassured);
  return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));
//原来是return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}

但这个漏洞不是所有的build版本都有问题,取决于编译时函数memcmp()返回值是否会超过-128..127范围。如果超过此范围的值则有1/256的概率出现强制转换为0的情况,于是判断错误。
gcc内置的memcmp, BSD libc的memcmp是安全的. Linux glibc sse优化的memcmp不安全, 不过gcc通常使用内置的版本(返回-1/0/1)。

目前还没有任何评论.

[cusFace:84] [cusFace:83] [cusFace:82] [cusFace:79] [cusFace:67] [cusFace:66] [cusFace:65] [cusFace:54] [cusFace:53] [cusFace:52] [cusFace:51] [cusFace:50] [cusFace:49] [cusFace:48] [cusFace:47] [cusFace:44] [cusFace:43] [cusFace:42] [cusFace:41] [cusFace:40] [cusFace:39] [cusFace:38] [cusFace:37] [cusFace:36] [cusFace:35] [cusFace:34] [cusFace:33] [cusFace:32] [cusFace:31] [cusFace:30] [cusFace:29] [cusFace:28] [cusFace:27] [cusFace:26] [cusFace:25] [cusFace:24] [cusFace:23] [cusFace:22] [cusFace:21] [cusFace:20] [cusFace:19] [cusFace:18] [cusFace:17] [cusFace:16] [cusFace:15] [cusFace:14] [cusFace:13] [cusFace:12] [cusFace:11] [cusFace:10] [cusFace:09] [cusFace:08] [cusFace:07] [cusFace:06] [cusFace:05] [cusFace:04] [cusFace:03] [cusFace:02] [cusFace:01] [cusFace:00]