lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402220309.i1M39BCH029132@mailserver3.hushmail.com>
From: auto355649 at hushmail.com (anony mous)
Subject: Proofpoint Protection Server remote MySQL root user vulnerability

Product: Protection Server
Version: unknown/Red Hat Linux
Developer: Proofpoint
URL: www.proofpoint.com

Summary:
The MySQL server may be remotely access by the "root" user without using
a password.

Details:

The Proofpoint Protection Server is a software product to filter spam
and other e-mail traffic.  It's installed on Red Hat Linux.  A partial
customer list may be found on their website.

By default, the embedded MySQL 4.0 server binds to the default port (3306/tcp)
on every IP.  The software has no packet filtering or port restrictions
of it's own, so all bound ports are wide open to the network.

The specific flaw is that the "root" user in MySQL is not restricted
from connecting from any host ('%') and additionally the root user HAS
NO PASSWORD.  There are a few minor restrictions on the root user when
logging in from a remote host, such as no Reload_priv (more on this later),
 but basic functions like INSERT and DELETE are allowed.

Exploiting this is as easy as
$ mysql -u root -h a.b.c.d

>From there you can view contents of the different databases, including
dumping the hashed passwords for any of the password-protected users.
 You can then run one of the brute-force MySQL password hash crackers
against them (it's the old-style 16byte hashes).

It is also possible to create new users indirectly by INSERT'ing into
the user table for database mysql.  Remote root will not be able to FLUSH
PRIVILEGES (required to make the user active--this is because no Reload_priv),
 but if the database is restarted for any reason those users will become
active and able to authenticate.  Remote root also has the ability to
delete users.

More destructive operations were not tested due to the accidental nature
of discovery, but use your imagination (certainly a DoS is possible simply
by deleting users required by the system).  Also since the systems are
running on Red Hat, it may be possible to exploit one of several recent
vulnerabilities in the Linux 2.4 kernel through MySQL.



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ