Snooping MySQL passwords with eBPF

Common sense and Data Security best practices dictate that you should not provide cleartext passwords.

However, I often see this exact thing when connecting to the MySQL command line.

Especially if this connection is made through some sort of script.

The MySQL Command Line

If you are connecting to MySQL using the command line, you may be tempted to pass the password directly, using something like:

$ mysql -h 127.0.0.1 -P3306 -uroot -psecret

If you do this in MySQL 5.6+, you will get the following warning:

Warning against cleartext password in the MySQL command line.
Warning against cleartext password in the MySQL command line.

Sometimes, I see that the password is actually using an environment variable.

$ export MYSQL_PWD=secret
$ mysql -h 127.0.0.1 -P3306 -uroot -p$MYSQL_PWD

And yet, that still generates the warning!

To avoid the warning, one can provide the password through the interactive prompt.

$ mysql -h 127.0.0.1 -P3306 -uroot -p
Enter password:

*snip*

mysql>

If you are interactively connecting to MySQL, this is the preferred method.

But it won’t solve a script from passing the password.

The MySQL Documentation lists some options for handling this, such as the mysql_config_editor to store the encrypted password.

However, even this method is not really secure .

Snooping the MySQL password with eBPF

To highlight why this is insecure, let’s look at the BCC tool execsnoop (execsnoop-bpfcc in Ubuntu), which uses eBPF to trace exec system calls. 

# execsnoop-bpfcc -T
TIME     PCOMM            PID    PPID   RET ARGS
18:45:47 benchmark.sh     22832  20920    0 ./benchmark.sh
18:45:47 date             22837  22832    0 /usr/bin/date
18:45:47 mysql            22838  22832    0 /usr/bin/mysql -h127.0.0.1 -P6033 -uroot -psecret

And there’s our password!

If we used the interactive prompt, our password would not be exposed.

# execsnoop-bpfcc -T
TIME     PCOMM            PID    PPID   RET ARGS
19:25:16 mysql            24737  20920    0 /usr/bin/mysql -h 127.0.0.1 -P3306 -uroot -p

Conclusion

Starting in MySQL 5.6, MySQL’s command line client will generate a warning if you try to pass the password as part of the connection command.

And even passing a password with variables will suffer from this problem.

I showed how we can use eBPF and execsnoop to snoop that MySQL password.

The good news, I suppose, is that execsnoop requires the root user to run.

So a bad actor that has achieved root access to your system can cause all sorts of other havoc.

Regardless, a Data Guardian that wants to limit access except through the database will not pass the password unencrypted and will implement a password rotation policy.

Tags: