Bypassing Authentication | TechSNAP 62

Bypassing Authentication | TechSNAP 62

A MySQL flaw so awful, I simply had to laugh. And how a simple SSH config mistake, lead to a really bad day.

Plus we answer some great audience questions, all that and much more on this week’s TechSNAP.

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:

Show Notes:

MySQL authentication Bypass

  • The Developers of MariaDB (a fork of MySQL) recently found a major flaw in MySQL (and MariaDB) that gives an attacker a 1 in 256 chance to login to your MySQL server with an incorrect password
  • All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
  • This exploit is even worse than it sounds, because once an attacker gains access to the MySQL server, they can dump the MySQL users table, which contains the hashed passwords of all other users
  • This would allow the attacker to then do an offline attack against those hashes (with a brute force password cracking program such as John the Ripper)
  • In this way, even if the administrator patches their MySQL server, preventing further access by the attacker via the exploit, the attacker can then use the actual passwords for real user accounts once they are cracked
  • The error is an incorrect assumption about the return value of memcmp(), a C function that compares to memory addresses
  • Due to the fact that memcmp() is implemented differently by different OSs and compilers, only some systems are known to be vulnerable
  • Vulnerable:
    • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
  • OpenSuSE 12.1 64-bit
  • Debian Unstable 64-bit (maybe others)
  • Fedora (unspecified versions)
  • Arch Linux (unspecified versions)
  • Not Vulnerable:
    • Official builds from (including Windows)
  • Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
  • CentOS using official RHEL rpms
  • Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
    • FreeBSD (all versions)
  • Vulnerable/Not Vulnerable list source, more details, mitigation steps
  • Part of the reason for the vulnerability of 64bit based OSs seems to be the different behavior of memcmp() with SSE4 optimizations (which results in a 3–5x performance increase)
  • The following shell one-liner will grant you root access to a vulnerable MySQL server: for i in seq 1 1000; do mysql -u root –password=techsnap -h 2>/dev/null; done
  • memcmp() man pages

F5 SSH Root login keys leaked

  • F5 makes high end IP load balancers, designed to distribute traffic among web servers, handle SSL offloading, and more
  • Fixed in a recently released patch, it seems that all F5s came out of the box authorized for root login over SSH with an RSA public key
  • The issue being that the corresponding RSA private key, was also included on every F5 device
  • This means that anyone that owns an F5, or has access to that key file (everyone now, we have to assume it was posted online) can now login as root on your F5
  • Why is login as root over SSH even permitted?
  • Vulnerability Announcement
  • Official Advisory

AMD/ATI Windows Video drivers insecure, cause BSOD when security features in windows enabled

  • Microsoft has a toolkit, called EMET (Enhanced Mitigation Experience Toolkit) that works to reduce the chance that unknown vulnerabilities in windows can be successfully exploited
  • EMET relies on DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), which are designed to prevent buffer overflow and remote code execution attacks
  • EMET includes an option to force DEP and ASLR system wide, rather than on a per-application basis, where only applications that opt-in to DEP/ASLR are protected
  • Enabling ASLR causes AMD/ATI video drivers to blue screen the system
  • This means that any system with an AMD/ATI graphics adapter cannot be secured as strongly as a system with an Intel or nVidia graphics adapter
  • CERT Vulnerability Notice VU#458153
  • Download Microsoft Enhanced Mitigation Experience Toolkit


Q: Jason asks about using CNAMEs for customer domains

The problem with what you are proposing is that any resource record that is a CNAME cannot have any other record types defined. This means that if you set the root of the domain to CNAME to, you then cannot define an MX record, and therefore you cannot host email addresses

Q: Mario asks about blocking possibly malicious ad networks on his network

Eivind writes in about a game company handling a security breech correctly

Note: from their findings that 10,000 users shared the same password, it is obvious that they are doing regular hashing (ala LinkedIn), rather than salted cryptographic hashes. When will people learn.


Question? Comments? Contact us here!