[Snort-sigs] False possitives on "MYSQL client authentication bypass attempt"

Matthew Watchinski mwatchinski at ...435...
Thu Aug 2 10:58:45 EDT 2007


We'll give this a look and see if we can get it fixed up.

Thanks
-matt

Christiaan Ehlers wrote:
> I think I might be getting some false positives with the rule:
> 
> "MYSQL client authentication bypass attempt"
> 
>  
> 
> My payload looks as follows:
> 
>  
> 
> length = 66
>  
> 000 : 3E 00 00 01 85 A2 03 00 00 00 00 01 08 00 00 00   >...............
> 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 020 : 00 00 00 00 63 64 72 5F 75 73 65 72 00 14 00 0C   ....cdr_user....
> 030 : 76 8D F8 26 9F 96 8D 8A E4 37 4E 8E 3A A4 0B 89   v..&.....7>n:...
> 040 : 83 11                       
> 
>  
> 
> The rule is:
> 
> mysql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL
> client authentication bypass attempt"; flow:to_server,established;
> flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3;
> byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00|";
> offset:9; reference:bugtraq,10655; reference:cve,2004-0627;
> reference:nessus,12639;
> reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt;
> classtype:misc-attack; sid:3668; rev:5;)
> 
>  
> 
> As far as I can see it relies on the the string |00 14 00| to be present
> after an offset of 9.  I assume this is to catch the last byte of the
> username which is |00|, the size of the password |14| (SHA1) and since
> you have a salted SHA1 password, every now and then you could have the
> first character of the hash be |00|.  I did a test and after about 147
> login attempts I got an alarm.
> 
>  
> 
> Not sure if it is normal for a SHA1 to have a start byte of |00|??
> Anybody know about this?
> 
>  
> 
> I am using the client "mysql  Ver 14.12 Distrib 5.0.27, for
> redhat-linux-gnu (i686) using readline 5.0"
> 
>  
> 
> Regards
> 
> Christiaan Ehlers
> Systems Administrator
> 
> Inclarity plc * 7th Floor * Olympic Office Centre * 8 Fulton Road *
> Wembley * Middlesex * HA9 0NU 
> Tel:    +44 (0) 208 634 0445
> Mob:   +44 (0) 777 913 7962
> Fax:    +44 (0) 208 634 9145 
> Email:  christiaan.ehlers at ...3312... 
> Web:   www.inclarity.co.uk <http://www.inclarity.co.uk/>  
> 
>  
> 
> 
> Disclaimer
> 
> ==========================================
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager. Please note that any views or opinions presented
> in this email are solely those of the author and do not necessarily
> represent those of the company. Finally, the recipient should check
> this email and any attachments for the presence of viruses. The
> company accepts no liability for any damage caused by any virus
> transmitted by this email.
> 
> 
> Inclarity Ltd.
> 
> Registered Office: Olympic Office Centre, Fulton Road, Wembley, 
> Middlesex, HA9 0NU
> Telephone: + 44 (0)845 698 0800
> Fax: + 44 (0)845 698 1000
> 
> Registered Company No. 02673204
> 
> ==========================================
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list