The SQL Server 3-Byte Patch

The MySQL 1-Bit Patch

To take another (previously unpublished) example of the technique discussed in the last section, we present a small patch to MySQL that alters the remote authentication mechanism in such a manner that any password is accepted. This results in a situation in which, provided remote access is granted to the MySQL server, it is possible to authenticate as any valid remote user, without knowledge of that user 's password.

Again, it should be stressed that this sort of thing is useful only in particular situations, specifically , when you want to:

  • Place a subtle backdoor in a system

  • Utilize an application/daemon's ability to interpret a complex set of data

  • Compromise a system quietly

Occasionally, it is better to use legitimate channels of communication but modify the security attributes of those channels. In the SQL Server example, we interact with the system as a normal user, but we have the ability to read and modify any data we wish for as long as the patch is in place. If the attack is well constructed , the logs will show that a normal user engaged in normal activity. That said, more often than not, a root shell is more effective (though admittedly less subtle).

To follow the discussion, you'll need the MySQL source, which you can download from www.mysql.com . At the time of writing, the stable version was 4.0.14b.

MySQL uses a somewhat bizarre homegrown authentication mechanism that involves the following protocol (for remote authentications):

  • The client establishes a TCP connection.

  • The server sends a banner and an 8-byte challenge.

  • The client scrambles the challenge using its password hash (an 8-byte quantity).

  • The client sends the resulting scrambled data to the server over the TCP connection.

  • The server checks the scrambled data using the function check_scramble in sql\password.c .

  • If the scrambled data agrees with the data the server is expecting, check_scramble returns . Otherwise, check_scramble returns 1 .

The relevant snippet of check_scramble looks like this:

 while (*scrambled)   {     if (*scrambled++ != (char) (*to++ ^ extra))       return 1;                    /* Wrong password */   }   return 0; 

Therefore, our patch is simple. If we change that code snippet to look like this:

 while (*scrambled)   {     if (*scrambled++ != (char) (*to++ ^ extra))       return 0;                    /* Wrong password but we don't care :o) */   }   return 0; 

then any user account that can be used for remote access can be used with any password.

There are many other things that you can do with MySQL, including a conceptually similar patch to the previous SQL Server example (it doesn't matter who you are, you're always dbo) among other interesting things.

The code compiles to a byte sequence something like this (using MS assembler format):

 3B C8                cmp         ecx,eax 74 04                je          (4 bytes forward) B0 01                mov         al,1 EB 04                jmp         (4 bytes forward) EB C5                jmp         (59 bytes backward) 32 C0                xor         al,al 

The mov al, 1 is the trick here. If we change it to mov al, 0 , any user can use any password. That's a 1-byte patch (or, if we're being pedantic, a 1-bit patch). We couldn't make a smaller change to the process if we tried, yet we've disabled the entire remote password authentication mechanism.

The means of inflicting the binary patch on the target system is left as an exercise to the reader. There have historically been a number of arbitrary code execution issues in MySQL; doubtless more will be found in time. Even in the absence of a handy buffer overflow, however, the technique still applies to binary file patching and is thus still worth knowing.

You then write a small exploit payload that applies that difference to the running code, or to the binary file, in a similar manner to the SQL Server exploit outlined previously.



The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net