CVE-2004-0627
published 2004-12-06CVE-2004-0627: The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.65%
99.3th percentile
The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mysql | mysql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect MySQL authentication attempts using a zero-length scrambled string — the exploit sends a login packet with an empty/zero-length password scramble to bypass check_scramble_323(). Monitor for MySQL login packets where the scrambled password field has zero length. ↗
- →The vulnerable code path iterates over the scrambled string using a null-terminator loop (`for (pos=scrambled ; *pos ; pos++)`). A zero-length (empty) scrambled string causes the loop to execute zero times, bypassing the password check entirely. Detection should flag MySQL auth packets where the scramble/password field length is 0. ↗
- →The fix introduced an exact-length check (`if (pos-scrambled != SCRAMBLE_LENGTH_323) return 1;`). Absence of this check in MySQL 4.1.x before 4.1.3 and 5.0 before 5.0.1 indicates a vulnerable instance. Verify MySQL version and patch level during triage. ↗
- →The exploit script connects via raw TCP to MySQL port 3306, sends a crafted login packet, and interprets a response byte of 0x00 or 0xFE at offset [4] as authentication success. Network-level detection should alert on MySQL handshake responses (byte 0x00 or 0xFE at packet offset 4) following a zero-length credential submission. ↗
- ·Red Hat Enterprise Linux 4, 5, and 6 ship versions of MySQL that are NOT affected by this CVE. Do not prioritize remediation efforts on RHEL-based deployments of the vendor-supplied MySQL package. ↗
- ·The published exploit script (exploit-db #311) is broken in practice against servers configured with `old_password=1` in my.cnf. The server sends a `send_old_password_request` challenge packet that the script misinterprets as a success response — check_scramble_323() is never actually reached in that configuration. ↗
- ·CVE-2004-0627 (auth bypass) and CVE-2004-0628 (stack-based buffer overflow via long scramble string) are distinct issues in the same function. Ensure both are patched; the buffer overflow fix was committed separately and later than the auth bypass fix. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-77xv-jf9g-qvgv: The check_scramble_323 function in MySQL 4
ghsa_unreviewed·2022-04-29
CVE-2004-0627 [HIGH] GHSA-77xv-jf9g-qvgv: The check_scramble_323 function in MySQL 4
The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.
Red Hat
MySQL: check_scramble_323 authentication bypass and buffer overflow
vendor_redhat·2004-07-05·CVSS 10.0
CVE-2004-0627 [CRITICAL] MySQL: check_scramble_323 authentication bypass and buffer overflow
MySQL: check_scramble_323 authentication bypass and buffer overflow
The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.
Statement: Not vulnerable. This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Package: mysql (Red Hat Enterprise Linux 4) - Not affected
Package: mysql (Red Hat Enterprise Linux 5) - Not affected
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.htmlhttp://marc.info/?l=bugtraq&m=108904917528205&w=2http://www.kb.cert.org/vuls/id/184030http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.htmlhttp://marc.info/?l=bugtraq&m=108904917528205&w=2http://www.kb.cert.org/vuls/id/184030
2004-12-06
Published