[Snort-sigs] False possitives on "MYSQL client authentication bypass attempt"

Christiaan Ehlers Christiaan.Ehlers at ...3312...
Thu Aug 2 10:29:54 EDT 2007


I think I might be getting some false positives with the rule:

"MYSQL client authentication bypass attempt"



My payload looks as follows:



length = 66

000 : 3E 00 00 01 85 A2 03 00 00 00 00 01 08 00 00 00   >...............
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
020 : 00 00 00 00 63 64 72 5F 75 73 65 72 00 14 00 0C   ....cdr_user....
030 : 76 8D F8 26 9F 96 8D 8A E4 37 4E 8E 3A A4 0B 89   v..&.....7>n:...
040 : 83 11



The rule is:

mysql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL
client authentication bypass attempt"; flow:to_server,established;
flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3;
byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00|";
offset:9; reference:bugtraq,10655; reference:cve,2004-0627;
reference:nessus,12639;
reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt;
classtype:misc-attack; sid:3668; rev:5;)



As far as I can see it relies on the the string |00 14 00| to be present
after an offset of 9.  I assume this is to catch the last byte of the
username which is |00|, the size of the password |14| (SHA1) and since
you have a salted SHA1 password, every now and then you could have the
first character of the hash be |00|.  I did a test and after about 147
login attempts I got an alarm.



Not sure if it is normal for a SHA1 to have a start byte of |00|??
Anybody know about this?



I am using the client "mysql  Ver 14.12 Distrib 5.0.27, for
redhat-linux-gnu (i686) using readline 5.0"



Regards

Christiaan Ehlers
Systems Administrator

Inclarity plc * 7th Floor * Olympic Office Centre * 8 Fulton Road *
Wembley * Middlesex * HA9 0NU
Tel:    +44 (0) 208 634 0445
Mob:   +44 (0) 777 913 7962
Fax:    +44 (0) 208 634 9145
Email:  christiaan.ehlers at ...3312...
Web:   www.inclarity.co.uk <http://www.inclarity.co.uk/>




Disclaimer

==========================================

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check
this email and any attachments for the presence of viruses. The
company accepts no liability for any damage caused by any virus
transmitted by this email.


Inclarity Ltd.

Registered Office: Olympic Office Centre, Fulton Road, Wembley, 
Middlesex, HA9 0NU
Telephone: + 44 (0)845 698 0800
Fax: + 44 (0)845 698 1000

Registered Company No. 02673204

==========================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070802/ca4e6d57/attachment.html>


More information about the Snort-sigs mailing list