mSQL authentication holes
|Description:||mSQL has a number of problems in its attempts at authentication, as well as another serious problem if the user doesn't use ACLs|
|Author:||"John W. Temples" <john@KUWAIT.NET>|
|Compromise:||remotely manipulate a mSQL database|
|Vulnerable Systems:||Those running vulnerable versions of mSQL, many Linux boxes run this |
|Date:||27 September 1997 |
Date: Sat, 27 Sep 1997 21:40:06 +0300
From: "John W. Temples" <john@KUWAIT.NET>
Subject: msql access control
I was reviewing the access control mechanisms in the mSQL database
(http://www.hughes.com.au/) and made the following observations:
1) When doing a "make install" of msql, no msql.acl access control list
file is installed. When the database server is started without an ACL
file, it prints a warning, and then starts with all databases world
readable and writable. If the server is on the Internet, the entire
Internet has read/write access to the databases.
2) When an ACL file is used, one form of authentication is by username.
The msql server accepts the username from the client and does no
authentication on it whatsoever. Thus, if an msql server which used
username access control were accessible from a multiuser host,
unauthorized users on that host could access the database by simply
knowing the login name of an authorized user.
2) The other form of authentication used is hostname. The msql server
does a lookup on the IP address of the client, but does not
subsequently do a lookup of the resulting hostname to verify it.
Hence, host name authentication is trivially defeated. This problem
was previously described in an SNI advisory
(ftp://ftp.secnet.com/pub/advisories/SNI-17.MSQL.advisory), and SNI has
made patches available to address this problem (and others) for msql
version 2, but no such patches seem to exist for msql version 1.
Conclusions: install an msql.acl file; don't use username
authentication; disable remote access (set 'access=local' in msql.acl)
unless you have patched the server to correctly verify the hostnames of
connecting clients; and all users on hosts authorized to connect to the
msql server must be trusted.
John W. Temples, III || Providing the first public access Internet
Gulfnet Kuwait || site in the Arabian Gulf region
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: