Simply trying to connect to some MySQL servers many times with a valid user account will drop you into that user account. The bug has a one in 256 probability of occurring. Whether or not your system is vulnerable depends on the kind of memcmp() your MySQL was built with.
Summary:
-snip-
When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not. Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using any password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent.
Any client will do, there's no need for a special libmysqlclient library.
But practically it's better than it looks - many MySQL/MariaDB builds
are not affected by this bug.
Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.
As far as I know, official vendor MySQL and MariaDB binaries are not
vulnerable.
Simply trying to connect to some MySQL servers many times with a valid user account will drop you into that user account. The bug has a one in 256 probability of occurring. Whether or not your system is vulnerable depends on the kind of memcmp() your MySQL was built with.
Summary:
-snip-
When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using any password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.
But practically it's better than it looks - many MySQL/MariaDB builds are not affected by this bug.
Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built. A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
As far as I know, official vendor MySQL and MariaDB binaries are not vulnerable.
-snip-