Introduction

"phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL, MariaDB and Drizzle. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement."

Before starting with our findings, we would like to thank phpMyAdmin security team for their quick response and for their interest in keeping their software secure.

My partner @cor3dump3d from www.devconsole.info and me believe in responsible disclosure, that is the reason why we have waited until a patch has been released by phpMyAdmin security team before revealing full details.

Affected Versions

Versions 4.0.x (prior to 4.0.10.7), 4.1.x (prior to 4.1.14.8) and 4.2.x (prior to 4.2.13.1) are affected.

More info:

Vulnerability Details

The phpMyAdmin vulnerability we are going to talk about is similar to, but a little bit different and more dangerous than the previous ones we posted some days ago: CVE-2014-9016 and CVE-2014-9034. This post describes a Proof of Concept about how to perform a Denial of Service by using long passwords which affects to the software mentioned above.

Now, we have discovered that phpMyAdmin is vulnerable to the same attack but this time for a different reason...

Why did we say more dangerous than the previous ones? In order to take advantage of this vulnerability in Drupal and Wordpress, we needed to know a valid username before launching the attack. In phpMyAdmin, it is not required to know a valid username.

In phpMyAdmin the attack works different because phpMyAdmin does not maintain any user accounts and when the user logs into phpMyAdmin, it simply relays the password to MySQL, and MySQL is not affected by this vulnerability. These are the results of these MySQL  login attempts:

Password length: 1000000 Total execution time in seconds: 0.018867969512939
Password length: 2000000 Total execution time in seconds: 0.03835391998291
Password length: 3000000 Total execution time in seconds: 0.056785106658936
Password length: 4000000 Total execution time in seconds: 0.075578212738037
Password length: 5000000 Total execution time in seconds: 0.09423303604126
Password length: 6000000 Total execution time in seconds: 0.11118984222412
Password length: 7000000 Total execution time in seconds: 0.13226509094238
Password length: 8000000 Total execution time in seconds: 0.1476719379425
Password length: 9000000 Total execution time in seconds: 0.16580295562744

So, which is the cause because phpMyAdmin is affected to this kind of attack?

If we try a login attempt by using a valid or non valid username and a 1.000.000 length password we will obtain the error below.


* Notice that 30 seconds is the maximum time a script is allowed to run before it is terminated by the parser. This helps prevent poorly written scripts from tying up the server.

Researching a little bit more, we see that in PhpMyAdmin cookie mode authentication, the password is stored, encrypted with the AES algorithm, in a temporary cookie.

We have tried to encrypt with AES these long strings and we have observed an increase of time calculation according to the length the strings.

Text length: 1024 ==> AES calculation time in seconds: 0.0085389614105225
Text length: 10240 ==> AES calculation time in seconds: 0.069222927093506
Text length: 51200 ==> AES calculation time in seconds: 0.35328578948975
Text length: 102400 ==> AES calculation time in seconds: 0.72205591201782
Text length: 512000 ==> AES calculation time in seconds: 3.5483829975128
Text length: 1024000 ==> AES calculation time in seconds: 7.1560480594635
Text length: 102400000 ==> AES calculation time in seconds: 733.4890639782

When this test was performed locally, a CPU resource exhaustion was observed.  Notice that the server doesn't crash because of the AES calculation. The vulnerability appears in conjunction with Apache, because Apache waits to PHP to finish the AES calculation. In a concurrent authentication process with a valid or non valid user and very long passwords, on the one hand PHP consumes the CPU with AES calculation processes and in the other hand, the Apache processes which are waiting, consumes the memory until the server crashes.

The result is a Denial of Service condition because of memory exhaustion.


This problem is solved in the latest phpMyAdmin patch. By applying this patch, the user credentials are stored only after a successful authentication. Further, it truncates passwords to a length of 256.

How to fix

Upgrade to phpMyAdmin 4.0.10.7 or newer, or 4.1.14.8 or newer, or 4.2.13.1 or newer.

Proof of concept

A proof of concept will be published soon. Until that, update your phpMyAdmin installations.

CVE Information

CVE-2014-9218 has been assigned to this vulnerability.

Timeline

November 26, 2014 - We sent a complete report about the vulnerability to the phpMyAdmin security team.

November 27, 2014 - phpMyAdmin started to work on this security issue.

December 3, 2014 - The phpMyAdmin security update and the security advisory is published.

References

http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html

http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html

http://www.devconsole.info/?p=1050

http://www.breaksec.com/?p=6362

http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/