lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308171132.h7HBWDhV027222@novappc.com>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: WinMySQLAdmin and MySQL(win32) Administrator Password Local Disclosure

------
PRODUCT: MySQL Win32 Versions
VENDOR: MySQL <www.mysql.com>
VULNERABLE VERSIONS:
       
       - 4.x ( win32 )
       - 3.x ( win32 )
       - WinMySQLAdmin 1.x
       - And older versions possible affected too.

NO VULNERABLE VERSIONS

- *nix/POSIX Versions ;-)

---------------------

Description:

MySQL is one of the most powerful database daemons , there are windows 
versions and linux versions.
It provides a full environment for develop database applications , an 
easy-to-use interface and
a very quickly service.
It supports large remote connections and multi-user features.

---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

Microsoft Windows distributions of MySQL are vulnerable to password 
stealing trough the gui interface of mysql,
WinMySQLAdmin and mysql-nt , that uses a configuration file called 
my.ini in plain text located at 
[ROOTDRIVE, usually c:]\[WINDOWS FOLDER: WINNT / WINDOWS ]\my.ini , 
with read access to anybody.
The configuration file my.ini is like this:

____________________________________________________
#This File was made using the WinMySQLAdmin 1.4 Tool
#ll/mm/ffff x:Yy:kk

#Uncomment or Add only the keys that you know how works.
#Read the MySQL Manual for instructions

[mysqld]
basedir=C:/mysql
#bind-address=127.0.0.1
datadir=c:/mysql/data
#language=C:/mysql/share/your language directory
#slow query log#=
#tmpdir#=
port=3306
#set-variable=key_buffer=16M
[WinMySQLadmin]
Server=C:/mysql/bin/mysqld-nt.exe
user=[ADMIN USER]
password=[ADMIN PASSWORD]
___________________________________________________

You can see the user & password values , under the [WinMySQLAdmin] 
configuration section.
The user value and the password value are totally in plain text without 
encoding or ciphering.

-------------
| SOLUTIONS |
-------------
 - Use a strong chipering method for the admin password in 
WinMySQLAdmin and keep passwords with other type of storage.
-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________

NSRG-22-8


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ