Hi , I do believe that the villan in the story of MYSQL
authentication problem is a return statement , it is not my own work
around i collect it from several sites.
mysql has a file password.c , i don't get any chance to meet him, but
many said that the function “check_scramble() “ belong to that file
and it is defined as:
my_bool check_scramble(const char *scramble_arg, const char *message,
const uint8 *hash_stage2)
{
SHA1_CONTEXT sha1_context;
uint8 buf[SHA1_HASH_SIZE];
uint8 hash_stage2_reassured[SHA1_HASH_SIZE];
mysql_sha1_reset(&sha1_context);
/* create key to encrypt scramble */
mysql_sha1_input(&sha1_context, (const uint8 *) message, SCRAMBLE_LENGTH);
mysql_sha1_input(&sha1_context, hash_stage2, SHA1_HASH_SIZE);
mysql_sha1_result(&sha1_context, buf);
/* encrypt scramble */
my_crypt((char *) buf, buf, (const uchar *) scramble_arg, SCRAMBLE_LENGTH);
/* now buf supposedly contains hash_stage1: so we can get hash_stage2 */
mysql_sha1_reset(&sha1_context);
mysql_sha1_input(&sha1_context, buf, SHA1_HASH_SIZE);
mysql_sha1_result(&sha1_context, hash_stage2_reassured);
return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}
oops sorry, the job of check_scramble is checking for user password
during authentication. The “memcmp()” and “my_bool” are require some
extra care, the “my_bool “ just a typedef of char in C. memcmp() is
declared as : int memcmp ( const void * ptr1, const void * ptr2,
size_t num ); memcmp() returns “int” and “check_scramble” return
“my_bool” , casting of the int to char, which may lead to truncation,
memcmp() implementations often return values that do not use full
range of the int type and rather return one of the following:
- normalized values (-1/0/1)
- diff of the first non-equal bytes (this is a documented behavior of BSD libc
implementation, but also a behavior of the gcc builtin implementation
used on x86 architectures)
A glibc x86_64 SSE4 optimized memcmp() implementation was identified
as one that returns values out of the -255 .. 255 range. Depending on
the position of the first non-equal byte, it often returns value that
is multiple of 256, which results in non-0 memcmp() return value to be
incorrectly converted to 0 after casting the value to char type.
I dnt get much details about the hashing and other encryption
mechanism the memcmp() is comparing the user-entered password and the
password in mysql's hand.
The job is fair when it require small number of checking , but when it
need faster checking , to speed up the comparison memcmp will
subtract multiple bytes at once.
memcmp() as others, use subtraction to compare. Some times it subtract
4 bytes at ones which generate higher output and the function
check_scramble() convert it into char or my_bool , if the generated
output is a multiple of 256 the char conversion make null assignments
to char , due to truncation . Then even the difference is not zero the
check_scramble() returns zero which indicate that the passwords are
equal.
Then the solution to this problem is simply modifying the return statement.
* return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));
the return is modified as above and the test is just a macro:
#define test(a) ((a) ? 1 : 0)
so patch your code and make it.
Special thanks to:
Red-hat Bugzilla
http://planet.mysql.com/entry/?id=33617
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/view/head%3A/sql/password.c#L453
http://www.mathyvanhoef.com/2012/06/mysql-authentication-bypass-explained.html
http://seclists.org/oss-sec/2012/q2/493
http://forums.mysql.com/read.php?168,252435,252435#msg-252435
http://www.cplusplus.com
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17#sql/password.c
http://www.aaronbedra.com/
--
Registered Linux user #545296
_______________________________________________
Indian Libre User Group Cochin Mailing List
http://www.ilug-cochin.org/mailing-list/
http://mail.ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org
#[email protected]
