June 12, 2012, 2:13 PM — A security flaw the discoverer described as "tragically comedic" exposes nearly 900,000 Internet-connected servers to attack by anyone who can come up with even one legitimate username and is willing to try logging in 256 times.
MySQL and MariaDB databases both assign an SHA-encrypted token to every user who logs in to the server so users only have to log in at the beginning of the session, not every time they send a request to the database.
Due to an error in the way they compare the token to an expected value, some editions of the database can't tell if the login is authentic or not They assume it is and allow the user access whether the password is correct or not, according to an alert posted Saturday by MariaDB Security Coordinator Sergei Golubchik.
Because of the way the encryption protocol uses random strings to generate tokens, the error happens about one time in every 256 login attempts.
That's the kind of once-in-a-blue-moon problem that wouldn't be a huge problem except that MySQL and MariaDB are two of the most common applications running on web servers and other Internet-connected machines.
In most cases, trying to log in as 'root' will get you past the username requirement. Automating the login so you can run it quickly will keep you from getting bored while you wait for the mistake to pop up.
"~300 attempts takes only a fraction of a second, so basically account password protection is as good as non-existent," Golubchik wrote. " The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password:
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
Most servers won't let users authenticate to the database in a process completely separate from authentication to the server itself, according to HD Moore, chief security officer for security vendor Rapid7, who publicized the flaw and solutions to it. In those cases the flaw still exists, but is moot because it is covered by the host's own security.