MySQL Zero-length Scrambled String Crafted Packet Authentication Bypass

This script is Copyright (C) 2011 Tenable Network Security, Inc.


Synopsis :

It is possible to bypass authentication on the remote database
service.

Description :

A bug in the version of MySQL running on the remote host allows a
remote attacker to bypass the password authentication mechanism using
a specially crafted packet with a zero-length scramble buff string.

An attacker with knowledge of an existing account defined to the
affected service can leverage this vulnerability to bypass
authentication and gain full access to that account.

See also :

http://archives.neohapsis.com/archives/bugtraq/2004-07/0038.html
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-3.html

Solution :

Upgrade to MySQL 4.1.3 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 17690 ()

Bugtraq ID: 10654

CVE ID: CVE-2004-0627