Nmap NSE Category vulns Script：mysql-vuln-cve2012-2122 偵測繞過 MySQL 和 MariaDB身份認證的漏洞

• 指令類型：portrule

• 類別：discovery, intrusive, vuln

• 下載：https://svn.nmap.org/nmap/scripts/mysql-vuln-cve2012-2122.nse

Nmap Script指令摘要

嘗試利用 CVE2012-2122 漏洞繞過 MySQL 和 MariaDB 服務器的身份驗證。如果它易受攻擊，腳本還將嘗試傾倒 MySQL 用戶名和密碼雜湊。

所有 MariaDB 和 MySQL 版本直到 5.1.61、5.2.11、5.3.5、5.5.22 都是易受攻擊的，但利用這個漏洞是否成功取決於 memcmp() 是否返回 -128..127 範圍外的任意整數。

"當用戶連接到 MariaDB/MySQL 時，會計算一個令牌（SHA 過一個密碼和一個隨機攪亂字符串），並與預期值進行比較。由於不正確的類型轉換，可能會發生令牌和預期值被認為是相等的情況，即使 memcmp() 返回非零值。在這種情況下，MySQL/MariaDB 會認為密碼是正確的，即使它不是。因為該協議使用隨機字符串，觸發此錯誤的概率大約是 1/256。這意味著，如果知道一個用戶名來連接（而且“root”幾乎總是存在的），她可以通過重複連接嘗試使用任何密碼連接。大約 300 次嘗試只需要不到一秒的時間，所以基本上賬戶密碼保護幾乎等於不存在。”

原始公開通告：

http://seclists.org/oss-sec/2012/q2/493

關於這個漏洞的有趣帖子：

https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

Nmap Script指令參數

mysql-vuln-cve2012-2122.pass

MySQL 密碼。預設：nmapFTW。

mysql-vuln-cve2012-2122.user

MySQL 用戶名。預設：root。

mysql-vuln-cve2012-2122.iterations

連接重試次數。預設：1500。

mysql-vuln-cve2012-2122.socket_timeout

套接字超時時間。預設：5秒。

vulns.short, vulns.showall

請參閱 vulns 函式庫的文檔。

Nmap Script指令範例

nmap -p3306 --script mysql-vuln-cve2012-2122 <target>

nmap -sV --script mysql-vuln-cve2012-2122 <target>

Nmap Script指令輸出

PORT     STATE SERVICE REASON
3306/tcp open  mysql   syn-ack
| mysql-vuln-cve2012-2122:
|   VULNERABLE:
|   Authentication bypass in MySQL servers.
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-2122
|     Description:
|       When a user connects to MariaDB/MySQL, a token (SHA
|       over a password and a random scramble string) is calculated and compared
|       with the expected value. Because of incorrect casting, it might've
|       happened that the token and the expected value were considered equal,
|       even if the memcmp() returned a non-zero value. In this case
|       MySQL/MariaDB would think that the password is correct, even while it is
|       not.  Because the protocol uses random strings, the probability of
|       hitting this bug is about 1/256.
|       Which means, if one knows a user name to connect (and "root" almost
|       always exists), she can connect using *any* password by repeating
|       connection attempts. ~300 attempts takes only a fraction of second, so
|       basically account password protection is as good as nonexistent.
|
|     Disclosure date: 2012-06-9
|     Extra information:
|       Server granted access at iteration #204
|     root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
|     debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF
|     phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
|     References:
|       https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
|       http://seclists.org/oss-sec/2012/q2/493
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122

Nmap Script作者:

Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

延伸閱讀

• 網路概念

• 技術文章

• 經驗分享

• 軟體介紹

• Nmap（持續更新Script中文翻譯）