MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
SecurityTracker Alert ID: 1036769|
SecurityTracker URL: http://securitytracker.com/id/1036769
(Links to External Site)
Updated: Oct 18 2016|
Original Entry Date: Sep 12 2016
Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.5.52, 5.6.33, 5.7.15; and prior versions|
A vulnerability was reported in MySQL. A remote authenticated user can gain elevated privileges.|
A remote authenticated user with SELECT/FILE permissions can exploit a flaw in the MySQL general query logging function to modify or create a 'my.cnf' file and cause arbitrary code to be executed with elevated privileges on the target system when the MySQL service is subsequently restarted.
The vendor was notified on July 29, 2016.
The original advisory and demonstration exploit code is available at:
Dawid Golunski of legalhackers.com reported this vulnerability.
A remote authenticated user with SELECT/FILE permissions can gain elevated privileges on the target system.|
The vendor has issued a fix as part of the October 2016 Oracle Critical Patch Update.|
The vendor's advisory is available at:
Vendor URL: www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [oss-security] CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )|
Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day
Affected MySQL versions (including the latest):
An independent research has revealed multiple severe MySQL vulnerabilities.
This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662.
The vulnerability affects MySQL servers in all version branches
(5.7, 5.6, and 5.5) including the latest versions, and could be exploited by
both local and remote attackers.
Both the authenticated access to MySQL database (via network
connection or web interfaces such as phpMyAdmin) and SQL Injection
could be used as exploitation vectors.
Successful exploitation could allow attackers to execute arbitrary code with
root privileges which would then allow them to fully compromise the server on
which an affected version of MySQL is running.
This advisory provides a (limited) Proof-Of-Concept MySQL exploit
which demonstrates how Remote Root Code Execution could be achieved by
Full PoC (which works on default installations without the need for
the attacker to find writable config files) will be provided later on
to give users a chance to react to this advisory as the issue has not
been patched by all the
affected vendors yet despite efforts.
The exploitation is interesting in the way that it involves an
oldschool LD_PRELOAD environment variable and that it targets a
service that doesn't
serve requests as root but could still be tricked to get root RCE when
Might give you strange feelings when restarting mysql service the next time ;)
The advisory is available at: