MySQL身份认证漏洞修复.docxVIP

MySQL身份认证漏洞 升级到5.5.24可修正MySQL爆出了一个很大的安全漏洞，几乎影响5.1至5.5的所有版本。出问题的模块是登录时密码校验的部分(password.c)，在知道用户名的情况下（如root），直接反复重试（平均大约256次）即可登入。MySQL发布5.5.24的时候，修正了这个BUG。我今天早上打开电脑,在seclists中看到一个很惊人的thread:/oss-sec/2012/q2/493MySQL爆出了一个很大的安全漏洞，几乎影响5.1至5.5的所有版本。出问题的模块是登录时密码校验的部分(password.c)，在知道用户名的情况下（如root），直接反复重试（平均大约256次）即可登入。不过，MySQL身份认证的时候是采用3元组，username,ip,password。如果client的IP在mysql.user表中找不到对应的，也无法登陆。这个BUG实际上早在4月份就被发现了，今年5月7号，MySQL发布5.5.24的时候，修正了这个BUG。漏洞分析：出问题的代码如下/* Check that scrambled message corresponds to the password; the functionis used by server to check that recieved reply is authentic. This function does not check lengths of given strings: message must benull-terminated, reply and hash_stage2 must be at least SHA1_HASH_SIZElong (if not, something fishy is going on). SYNOPSIScheck_scramble()scramble clients reply, presumably produced by scramble()message original random string, previously sent to client (presumably second argument of scramble()), must beexactly SCRAMBLE_LENGTH long and NULL-terminated. hash_stage2 hex2octet-decoded database entry All params are IN. RETURN VALUE0 password is correct !0 password is invalid*/my_boolcheck_scramble(constuchar *scramble_arg, const char *message,const uint8 *hash_stage2){ SHA1_CONTEXT sha1_context;uint8buf[SHA1_HASH_SIZE]; uint8 hash_stage2_reassured[SHA1_HASH_SIZE]; mysql_sha1_reset(sha1_context); /* create key to encrypt scramble */ mysql_sha1_input(sha1_context, (const uint8 *) message, SCRAMBLE_LENGTH); mysql_sha1_input(sha1_context, hash_stage2, SHA1_HASH_SIZE); mysql_sha1_result(sha1_context, buf); /* encrypt scramble */my_crypt((char *) buf, buf, scramble_arg, SCRAMBLE_LENGTH); /* now buf supposedly contains hash_stage1: so we can get hash_stage2 */ mysql_sha1_reset(sha1_context); mysql_sha1_input(sha1_context, buf, SHA1_HASH_SIZE); mysql_sha1_result(sha1_context, hash_stage2_reassured);returnmemcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);}memcmp的返回值