Alt3rn4tiv3's Tech Blog

Dangers of using Outdated Software and Misconfigurations I

After rhican’s attacks on HackQuest, I decided to be more vigilant when it comes to software updates. I also went ahead to read up on some of the dangers that might follow, how this “outdated” / “misconfigured” software can pose a threat, etc. Of my readings, I shall consolidate a few prominent issues and post on them. Just for the sake of it, I shall call it the “Dangers of using Outdated Software And Misconfigurations” series, or “DOSAM” for short.

In the first installment in this series, I will be touching on the fatality of giving wrong people the wrong privileges. MySQL, probably the most commonly used SQL database today. There have been numerous reports in the atrocity of the way MySQL’s authentication protocol works. Of which famous ones include the CHANGE_USER privilege escalation buffer overflow exploit in versions prior to 3.23.54, the poor algorithm used in versions prior to 3.23.11 and so on. The versions I shall cover today will include MySQL 4.1 till the early builds of 5.0

Let me start off with saying that MySQL can be a password cracker in itself. Surprised? Allow me to demonstrate -

create table ch(c char);
insert into ch values(’a'), (’b'), (’c'), (’d'), (’e'), (’f'), (’g'),
(’h'), (’i'), (’j'), (’k'), (’l'), (’m'), (’n'), (’o'), (’p'), (’q'),
(’r'), (’s’), (’t'), (’u'), (’v'), (’w'), (’x'), (’y'), (’z');
select * from ch a, ch b, ch c, ch d where sha1(concat(a.c,b.c,c.c,d.c)) = ‘81fe8bfe87576c3ecb22426f8e57847382917acf’

You now know that the hash was for the string “abcd". Generally, breaking a SHA-1 hash using the MySQL engine will take a pretty long time (exponential increase, as with all bf techniques). A 4-char pass will take about 3 seconds. A 5-char will take 90 seconds, 6-char about 40 minutes and 7-char about a day. So how is this related to compromising MySQL, you ask.

You can use MySQL to crack its own passwords in version 4.1.x using the built-in password function. Yes, you can do this for other versions as well, but there’s hardly any point in doing so because you can use another vulnerability. So anyway, first, obtain the value of the password you want to crack. You can do this by reading the file with an account that has file_priv using the load_file function:

mysql> select substring(load_file(’./mysql/user.MYD’), 166);

And cracking it:

mysql> select distinct u.user,concat(a.c,b.c,c.c,d.c) from mysql.user u, ch a, ch b, ch c, ch d where password
(trim(concat(a.c,b.c,c.c,d.c)))=u.password;

n.b. the above code is only for cracking passwords that at 4-chars long.

Although it’s a path less ventured, it’s probably so for a reason - the load that the server will suffer will be definitely noticable. Some hosts with foobar load balancing policies that suspend your account immediately will probably get your account suspended, if it takes up too much load. And even if your account doesn’t get suspended, the system administrator might check on what’s happening.

Proceed with caution

So what can you do to protect yourself?

MySQL Users
- Set a “strong” password for the root@localhost account.
- Rename the root MySQL user to something obscure.
- If remote connections are enabled, specify REQUIRE SSL in the GRANT statement used to set up the user.
- Create a MySQL user for each web application
- Ensure that MySQL users are restricted by IP address as well as passwords
*** Don’t give accounts privileges that they don’t absolutely need, especially File_priv, Grant_priv, and Super_priv. ***

MySQL Configuration
- Enable logging via the –log option.
- Disable the LOAD DATA LOCAL INFILE command by adding set-variable=local-infile=0 to the my.cnf file.
- Remove any unused UDFs
- If you’re using only local connections, disable TCP/IP connections via the –skip-networking option.
- Depending on your operating system, and how your data directory is configured, you might want to disallow the use of symbolic

links via the skip-symbolic-links option.
- Remove the default test database.
- Ensure MySQL traffic is encrypted.

And I rest my case.