[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308171132.h7HBWDhV027222@novappc.com>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: WinMySQLAdmin and MySQL(win32) Administrator Password Local Disclosure
------
PRODUCT: MySQL Win32 Versions
VENDOR: MySQL <www.mysql.com>
VULNERABLE VERSIONS:
- 4.x ( win32 )
- 3.x ( win32 )
- WinMySQLAdmin 1.x
- And older versions possible affected too.
NO VULNERABLE VERSIONS
- *nix/POSIX Versions ;-)
---------------------
Description:
MySQL is one of the most powerful database daemons , there are windows
versions and linux versions.
It provides a full environment for develop database applications , an
easy-to-use interface and
a very quickly service.
It supports large remote connections and multi-user features.
---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------
Microsoft Windows distributions of MySQL are vulnerable to password
stealing trough the gui interface of mysql,
WinMySQLAdmin and mysql-nt , that uses a configuration file called
my.ini in plain text located at
[ROOTDRIVE, usually c:]\[WINDOWS FOLDER: WINNT / WINDOWS ]\my.ini ,
with read access to anybody.
The configuration file my.ini is like this:
____________________________________________________
#This File was made using the WinMySQLAdmin 1.4 Tool
#ll/mm/ffff x:Yy:kk
#Uncomment or Add only the keys that you know how works.
#Read the MySQL Manual for instructions
[mysqld]
basedir=C:/mysql
#bind-address=127.0.0.1
datadir=c:/mysql/data
#language=C:/mysql/share/your language directory
#slow query log#=
#tmpdir#=
port=3306
#set-variable=key_buffer=16M
[WinMySQLadmin]
Server=C:/mysql/bin/mysqld-nt.exe
user=[ADMIN USER]
password=[ADMIN PASSWORD]
___________________________________________________
You can see the user & password values , under the [WinMySQLAdmin]
configuration section.
The user value and the password value are totally in plain text without
encoding or ciphering.
-------------
| SOLUTIONS |
-------------
- Use a strong chipering method for the admin password in
WinMySQLAdmin and keep passwords with other type of storage.
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
NSRG-22-8
Powered by blists - more mailing lists