Package: mysql-server-8.0
Version: 8.0.41-2
Tags: security
Hi,
I initially reported this bug to secur...@debian.org, and was advised
to report it publicly here.
TL;DR: Debian's setup scripts for the `mysql-server-8.0` package
create an administrative user `debian-sys-maint` with a low-entropy
autogenerated password (32 bits). An attacker that knows the password
hash can mount a cheap brute-force attack to crack it by exhausting
the keyspace. MariaDB packages are unaffected.
The `postinst` script for Debian's `mysql-server-8.0` package creates
a root-equivalent user [1] called `debian-sys-maint`, and assigns it
an autogenerated password [2].
The password for this user is generated using a Perl one-liner based
on `rand` [3] . When called the first time in a process, `rand` will
seed its pseudo-random number generator by calling `srand` [4] without
any arguments.
Perl implements the seeding logic by internally calling `seed()` [5]
(which is just an an alias [6] for `Perl_seed()` [7]). The code
ultimately fetches 4 bytes of entropy (32 bits) from
`/dev/urandom` [8] and uses it as the seed.
As a consequence, there are "only" 2^32 possible random passwords for
the `debian-sys-maint` user, despite consisting of 16 alfanumeric
characters. The following Perl script enumerates the entire space of
possible passwords:
```perl
for (my $i=0; $i<(1<<32); $i++) {
srand($i);
my $p = join('', map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16));
print "$p\n";
}
```
While 32 bits of entropy make online attacks impractical, an
attacker that has read-only access to the `mysql.user` table (for
example, by exploiting a SQL injection vulnerability) can read
`debian-sys-maint`'s password hash and crack it by trying all
2^32 possible passwords. They can then log in as the
`debian-sys-maint`, escalating their privileges.
As of the feasibility of a brute-force offline attack, `hashcat` [9]
can hash roughly 450k passwords per second on an NVIDIA RTX 4090 GPU.
A motivated attacker could easily speed this up by a factor of 3x-4x,
for example by writing a specialized hashcat kernel for 16-character
passwords.
In an experiment, I was able to crack the hash for `debian-sys-maint`
on a newly-installed MySQL server (Ubuntu 22.04 LTS amd64) in slightly
more than 2 hours, at a total cost of ~$1 for renting an RTX 4090 GPU
on https://vast.ai.
As far as I can tell, MariaDB relies on process authentication via
Unix domain socket, and therefore does not need to create an
administrative user at all.
Let me know if there are further details you'd like me to provide.
Luca
---
References
[1]
https://salsa.debian.org/mariadb-team/mysql/-/blob/mysql-8.0/debian/latest/debian/mysql-server-8.0.postinst?ref_type=heads#L289
[2]
https://salsa.debian.org/mariadb-team/mysql/-/blob/mysql-8.0/debian/latest/debian/mysql-server-8.0.postinst?ref_type=heads#L253
[3] https://perldoc.perl.org/functions/rand
[4] https://perldoc.perl.org/functions/srand
[5] https://github.com/Perl/perl5/blob/v5.41.8/pp.c#L3215
[6] https://github.com/Perl/perl5/blob/v5.41.8/embed.h#L671
[7] https://github.com/Perl/perl5/blob/v5.41.8/util.c#L4683
[8] https://github.com/Perl/perl5/blob/v5.41.8/util.c#L4730-L4737
[9] https://hashcat.net/hashcat/
