MySQL Login Truncation

Aug20
Missing Image
By Joe Izenman

Stefan over at Suspekt brought up some interesting security vulnerabilities based on MySQL's column truncation tendencies (when not in strict mode), so I thought I'd add my own to the pile, this one right in the grant tables.

MySQL's user table restricts user names to 16 characters (and hosts to 60). Any attempt to create a user with a longer login results in an error. However, unlike Stefan's example where a field is compared, then truncated and then inserted, MySQL actually truncates a login attempt before processing it.


First, just to confirm that longer usernames are not permitted:

mysql> GRANT ALL PRIVILEGES ON test.* TO 'toomanycharacters'@'localhost' 
-> IDENTIFIED BY 'pass';
ERROR 1145 (42000): The host or user argument to GRANT is too long

Next we create a user with the maximum length:

mysql> GRANT ALL PRIVILEGES ON test.* TO 'sixteencharacter'@'localhost'
-> IDENTIFIED BY 'pass';
Query OK, 0 rows affected (0.00 sec)

Test the login the way it ought to go:

$ mysql -u sixteencharacter -ppass
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 34510 to server version: 5.0.22-standard

And finally, log in with a too-long username, matching on the first sixteen characters:

$ mysql -u sixteencharacterASDF -ppass
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 34517 to server version: 5.0.22-standard

Wait, what?

There is no user in the system called 'sixteencharacterASDF'...

mysql> SELECT User, Host FROM user WHERE User = 'sixteencharacterASDF';
Empty set (0.00 sec)

...which means that the login process, instead of rejecting what is fundamentally an invalid account, says "well, that's too long, so we'll assume they meant just the first sixteen characters."

Now, granted you have to get the first sixteen characters right in the first places, so it doesn't make it any easier for a hacker to guess. But I am still of the opinion that if the username is wrong, the user shouldn't be allowed in.

It also brings up an interesting question (which I don't have the resources to test at the moment): does the same truncation happen on a host name? could 'test'@'subdomain-that-is-way-too-long-too-be-useful.sitecrafting.com' access a database restricted to 'test'@'subdomain-that-is-way-too-long-too-be-useful.sitecrafting.co'? Another argument for restricting your user access by IP rather than domain, I suppose.

Dev

Back To Feed