Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update mysql authbypass hashdump module to correctly close sockets #18449

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Oct 12, 2023

Relates to #18278, #18296, and #18297

Fixes an issue with the mysql authbypass hashdump module to correctly close sockets

Verification

Before

docker run --rm -p 3306:3306 -e MYSQL_ROOT_PASSWORD=foo123 mysql:5.7.42

Socket errors:

msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run rhost=127.0.0.1

[+] 127.0.0.1:3306        - 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 20% complete
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 244] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 245] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 248] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 247] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 250] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 251] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 252] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 253] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 249] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 254] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 246] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 256] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 255] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 258] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 261] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 262] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 263] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 264] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 260] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 266] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 268] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 259] caught an unhandled exception: Too many open files - socket(2)
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Thread 257] caught an unhandled exception: Too many open files - socket(2)


...etc..

After

No socket errors:

msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run rhost=127.0.0.1

[+] 127.0.0.1:3306        - 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 30% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 40% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 50% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 60% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 70% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 80% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 90% complete
[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 100% complete
[-] 127.0.0.1:3306        - 127.0.0.1:3306 Unable to bypass authentication, this target may not be vulnerable
[*] 127.0.0.1:3306        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Exploitation still works against a vulnerable target:

docker run -it --rm -p 3306:3306 vulhub/mysql:5.5.23
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run rhost=127.0.0.1

[+] 127.0.0.1:3306        - 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Successfully bypassed authentication after 2 attempts. URI: mysql://root:wG@127.0.0.1:3306
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 127.0.0.1:3306        - 127.0.0.1:3306 Hash Table has been saved: /Users/user/.msf4/loot/20231012174520_default_127.0.0.1_mysql.hashes_407628.txt
[*] 127.0.0.1:3306        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@adfoster-r7 adfoster-r7 force-pushed the update-mysql-authbypass-hashdump-module-to-correctly-close-sockets branch from 63ec599 to 075fe09 Compare October 12, 2023 16:44
@sempervictus
Copy link
Contributor

Sockets should probably be registered on instantiation for automated cleanup/GC when the module completes, but i'm all for this direct leak-plugging effort. Thanks as always sir.

@adfoster-r7
Copy link
Contributor Author

Sockets should probably be registered on instantiation for automated cleanup/GC when the module completes

That all happens currently, it's just for this scenario the module is creating hundreds of sockets in a tight threaded loop, so we run out of available sockets before the module can complete and close the opened sockets 😄

@sempervictus
Copy link
Contributor

Yeah, the FD cost of our abstractions is high. I've been toying with a rust-based "under-lib" leveraging raw access where possible and delivering fast abstraction to the Ruby side (think "splice-capable" internally) to ameliorate the effects of our dependency on stdlib... but being pure Ruby has an academic benefit, and its no small effort to implement properly.

@cgranleese-r7 cgranleese-r7 self-assigned this Oct 13, 2023
@cgranleese-r7 cgranleese-r7 added the rn-fix release notes fix label Oct 13, 2023
@cgranleese-r7
Copy link
Contributor

Everything seems to be working as expected.

Before

image

After

Not vulnerable

image

Vulnerable

image

@cgranleese-r7 cgranleese-r7 merged commit 9def455 into rapid7:master Oct 13, 2023
35 checks passed
@cgranleese-r7
Copy link
Contributor

Release Notes

Fixes an issue with the scanner/mysql/mysql_authbypass_hashdump module to now correctly close sockets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn-fix release notes fix
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants