MySQL is a popular open-source relational database package used primarily on unix systems (often to power websites). The MySQL engine runs as a server to which clients connect via TCP or unix domain sockets. When clients connect they must authenticate before any queries will be handled. MySQL stores no user passwords in their original form -- only password hashes hashed via the internal PASSWORD() function are stored in the server and clients. It is these hashes that are used to authenticate client connections to the server. To prevent transmission of the password hash in cleartext form over network connections, the designers of MySQL implemented a challenge-response system. The authentication process is as follows: When a client initiates a connection to a MySQL server, a psuedo-random string is generated by the server and sent to the client. The client then generates a "check string", using the stored password hash and the string recieved from the server. Following that, the...
MySQL is a popular open-source relational database package used primarily on unix systems (often to power websites). The MySQL engine runs as a server to which clients connect via TCP or unix domain sockets. When clients connect they must authenticate before any queries will be handled. MySQL stores no user passwords in their original form -- only password hashes hashed via the internal PASSWORD() function are stored in the server and clients. It is these hashes that are used to authenticate client connections to the server. To prevent transmission of the password hash in cleartext form over network connections, the designers of MySQL implemented a challenge-response system. The authentication process is as follows: When a client initiates a connection to a MySQL server, a psuedo-random string is generated by the server and sent to the client. The client then generates a "check string", using the stored password hash and the string recieved from the server. Following that, the client sends it to the server where it is determined whether it was created using a valid password hash or not. If it is determined that a valid password hash was used, the client is authenticated. Unfortunately the MySQL implementation is flawed. There are arithmetic properties in the check-strings which are consistent throughout multiple authentications. Thus if multiple client authentications are observed by an attacker over a network connection, the password hash can be deduced. With a password hash, an attacker's rogue client can connect and authenticate successfully with a MySQL server. This can lead to a compromise of data/data integrity in the database depending on the access of the account compromised. A detailed technical description of the actual algorithmic vulnerability is available in Core SDI's advisory linked to in the reference section of this vuldb entry.
