Full Disclosure mailing list archives
WinMySQLAdmin and MySQL(win32) Administrator Password Local Disclosure
From: "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>
Date: Sun, 17 Aug 2003 13:32:13 +0200
------ PRODUCT: MySQL Win32 Versions VENDOR: MySQL <www.mysql.com> VULNERABLE VERSIONS: - 4.x ( win32 ) - 3.x ( win32 ) - WinMySQLAdmin 1.x - And older versions possible affected too. NO VULNERABLE VERSIONS - *nix/POSIX Versions ;-) --------------------- Description: MySQL is one of the most powerful database daemons , there are windows versions and linux versions. It provides a full environment for develop database applications , an easy-to-use interface and a very quickly service. It supports large remote connections and multi-user features. --------------------------------------------- |SECURITY HOLES FOUND and PROOFS OF CONCEPT:| --------------------------------------------- Microsoft Windows distributions of MySQL are vulnerable to password stealing trough the gui interface of mysql, WinMySQLAdmin and mysql-nt , that uses a configuration file called my.ini in plain text located at [ROOTDRIVE, usually c:]\[WINDOWS FOLDER: WINNT / WINDOWS ]\my.ini , with read access to anybody. The configuration file my.ini is like this: ____________________________________________________ #This File was made using the WinMySQLAdmin 1.4 Tool #ll/mm/ffff x:Yy:kk #Uncomment or Add only the keys that you know how works. #Read the MySQL Manual for instructions [mysqld] basedir=C:/mysql #bind-address=127.0.0.1 datadir=c:/mysql/data #language=C:/mysql/share/your language directory #slow query log#= #tmpdir#= port=3306 #set-variable=key_buffer=16M [WinMySQLadmin] Server=C:/mysql/bin/mysqld-nt.exe user=[ADMIN USER] password=[ADMIN PASSWORD] ___________________________________________________ You can see the user & password values , under the [WinMySQLAdmin] configuration section. The user value and the password value are totally in plain text without encoding or ciphering. ------------- | SOLUTIONS | ------------- - Use a strong chipering method for the admin password in WinMySQLAdmin and keep passwords with other type of storage. ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________ NSRG-22-8 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- WinMySQLAdmin and MySQL(win32) Administrator Password Local Disclosure Lorenzo Hernandez Garcia-Hierro (Aug 17)