cbcvebase.
CVE-2004-0627
published 2004-12-06

CVE-2004-0627: The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.65%
99.3th percentile
The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.

Affected

1 ranges
VendorProductVersion rangeFixed in
mysqlmysql

Detection & IOCsextracted from sources · hover to see the quote

port3306
commandmysql_auth_bypass_zeropass.pl [port]
  • Detect MySQL authentication attempts using a zero-length scrambled string — the exploit sends a login packet with an empty/zero-length password scramble to bypass check_scramble_323(). Monitor for MySQL login packets where the scrambled password field has zero length.
  • The vulnerable code path iterates over the scrambled string using a null-terminator loop (`for (pos=scrambled ; *pos ; pos++)`). A zero-length (empty) scrambled string causes the loop to execute zero times, bypassing the password check entirely. Detection should flag MySQL auth packets where the scramble/password field length is 0.
  • The fix introduced an exact-length check (`if (pos-scrambled != SCRAMBLE_LENGTH_323) return 1;`). Absence of this check in MySQL 4.1.x before 4.1.3 and 5.0 before 5.0.1 indicates a vulnerable instance. Verify MySQL version and patch level during triage.
  • The exploit script connects via raw TCP to MySQL port 3306, sends a crafted login packet, and interprets a response byte of 0x00 or 0xFE at offset [4] as authentication success. Network-level detection should alert on MySQL handshake responses (byte 0x00 or 0xFE at packet offset 4) following a zero-length credential submission.
  • ·Red Hat Enterprise Linux 4, 5, and 6 ship versions of MySQL that are NOT affected by this CVE. Do not prioritize remediation efforts on RHEL-based deployments of the vendor-supplied MySQL package.
  • ·The published exploit script (exploit-db #311) is broken in practice against servers configured with `old_password=1` in my.cnf. The server sends a `send_old_password_request` challenge packet that the script misinterprets as a success response — check_scramble_323() is never actually reached in that configuration.
  • ·CVE-2004-0627 (auth bypass) and CVE-2004-0628 (stack-based buffer overflow via long scramble string) are distinct issues in the same function. Ensure both are patched; the buffer overflow fix was committed separately and later than the auth bypass fix.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.