Chapter 18: MySQL: Discovery, Attack, and Defense

Previous page
Table of content
Next page

The previous chapter covered the structure of MySQL in terms of its physical layout, logical structure, and feature set. This chapter discusses finding and exploiting security holes in MySQL, common misconfigurations, and what can be done about them in terms of defense.

Finding Targets

This section covers the following:

  • Scanning for MySQL

  • MySQL version numbers

  • Snooping authentication

Scanning for MySQL

If you're auditing your network for MySQL servers, the first thing you'll want to know is where they are. You can do this in a number of ways:

  • By scanning the network for TCP port 3306 (the default MySQL port).

  • By scanning Windows hosts in the network for the MySQL named pipe.

  • By scanning Windows hosts for the HKEY_LOCAL_MACHINE\SOFTWARE\MySQL AB registry key.

  • By examining ODBC data sources on hosts that you have access to and listing the MySQL servers they are connected to.

  • By enumerating Services on Windows hosts and checking for MySQL.

  • By enumerating daemons on Unix hosts and checking for MySQL.

Other ways exist, but this brief list should get you started. Many of these techniques can be scripted up into a general-purpose MySQL scanning script.

MySQL Version Numbers

The next thing you'll want to know, having identified which hosts are MySQL servers, is what versions of MySQL are running on those servers. This is relatively straightforward because MySQL sends a textual version string as a banner when anyone connects to it via TCP; this was touched on in the previous chapter. Most port scanners will capture the banner that is sent to them and report on it. If your port scanner doesn't support this behavior, you can use the excellent general-purpose network tool netcat to retrieve it for you: 

 nc -w 1 <hostname or IP> 3306

You will see a string that looks like 

 4.0.20a-nt, or  3.23.47

or similar. It is normally fairly easy to determine the version of MySQL. Once you have the version, you can look up known security flaws in that version. Various vulnerability databases are available for free online that you can search for bugs in the versions of MySQL that are present in your network. Probably the most authoritative (but not necessarily the most current) is ICAT, a project funded by the U.S. National Institute of Standards and Technology (NIST). ICAT is available here: 

 http://icat.nist.gov/

A list of known bugs in MySQL is provided later in this chapter for reference.

Snooping Authentication

Prior to MySQL 4.0, there was no built-in encryption in the MySQL protocol. Even after version 4.0, the encryption is optional. If an authentication with MySQL can be captured, it will be possible to brute-force the password used, and depending on the authentication mechanism used, it may even be possible to determine the password much more quickly than a conventional brute-force attack.

The security company Core -SDI published a paper on weaknesses in the authentication mechanism used in 3.23.x and 4.0.x, which can be viewed here: 

 http://www1.corest.com/files/files/7/mysql.pdf

The gist of this is that the cryptographic qualities of the hashing mechanism used by these versions of MySQL are weak; if an attacker can obtain a number of successful authentication sequences (for example by sniffing the network), he will be able to determine the password hash. Also, in contrast to most hash-based authentication mechanisms, in these versions of MySQL only knowledge of the hash is needed, not the password. If an attacker was able to obtain the hashes from the mysql. user table, he would need no further information to be able to authenticate to the server. In most hash-based authentication mechanisms, the password hash must be cracked, by a tedious (and sometimes unsuccessful ) process of brute force ”trying lots of different passwords to see which password corresponds to the hash. In early (pre-4.1) versions of MySQL, this step is unnecessary.

The technique that the paper describes is fairly effective ”if 10 successful authentications can be obtained, the key space of 2 64 is reduced to a key space of approximately 300.

Even though this sounds terrible in security terms, it is worth bearing in mind that other, larger databases fare little better in terms of authentication sniffing attacks ”Microsoft SQL Server, for example, uses a protocol where the plaintext password is passed on the wire and obfuscated by swapping the nibbles (that is, swapping each 4-bit half of each byte) and XORing the result with 0xA5.

The best way of defending against this attack is to ensure that the database will not accept unencrypted connection attempts. This is much easier in versions 4.0.x of MySQL. If encryption is not available to all clients , or for some reason you are forced to run an older version of MySQL, you can use SSH or some other encrypted tunnel mechanism, such as IPSec. The MySQL manual has some detail on how to use SSH with MySQL. SSH can be useful because it offers a layer of audit and authentication in addition to that provided by MySQL.


Previous page
Table of content
Next page
Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156
Authors: David Litchfield, Chris Anley, John Heasman, Bill Grindlay
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Adobe After Effects 7.0 Studio Techniques
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Cisco Voice Gateways and Gatekeepers
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy