SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com, Oracle
MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
SecurityTracker Alert ID:  1036769
SecurityTracker URL:  http://securitytracker.com/id/1036769
CVE Reference:   CVE-2016-6662   (Links to External Site)
Updated:  Oct 18 2016
Original Entry Date:  Sep 12 2016
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5.52, 5.6.33, 5.7.15; and prior versions
Description:   A vulnerability was reported in MySQL. A remote authenticated user can gain elevated privileges.

A remote authenticated user with SELECT/FILE permissions can exploit a flaw in the MySQL general query logging function to modify or create a 'my.cnf' file and cause arbitrary code to be executed with elevated privileges on the target system when the MySQL service is subsequently restarted.

The vendor was notified on July 29, 2016.

The original advisory and demonstration exploit code is available at:

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Dawid Golunski of legalhackers.com reported this vulnerability.

Impact:   A remote authenticated user with SELECT/FILE permissions can gain elevated privileges on the target system.
Solution:   The vendor has issued a fix as part of the October 2016 Oracle Critical Patch Update.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Vendor URL:  www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 13 2016 (Ubuntu Issues Fix) MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, and 16.04 LTS.
Nov 2 2016 (Red Hat Issues Fix) MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 6, 6.6, 6.7, 7, 7.1, and 7.2.
Jan 24 2017 (Red Hat Issues Fix) MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Jan 26 2017 (Oracle Issues Fix for Oracle Linux) MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
Oracle has issued a fix for Oracle Linux 6.
Jan 27 2017 (CentOS Issues Fix) MySQL General Query Logging Function Lets Remote Authenticated Users Modify the 'my.cnf' File to Gain Elevated Privileges
CentOS has issued a fix for CentOS 6.



 Source Message Contents

Subject:  [oss-security] CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )

Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day
CVE: CVE-2016-6662
Severity: Critical
Affected MySQL versions (including the latest):
<= 5.7.15
<= 5.6.33
<= 5.5.52

Discovered by:
Dawid Golunski
http://legalhackers.com

An independent research has revealed multiple severe MySQL vulnerabilities.
This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662.
The vulnerability affects MySQL servers in all version branches
(5.7, 5.6, and 5.5) including the latest versions, and could be exploited by
both local and remote attackers.
Both the authenticated access to MySQL database (via network
connection or web interfaces such as phpMyAdmin) and SQL Injection
could be used as exploitation vectors.

Successful exploitation could allow attackers to execute arbitrary code with
root privileges which would then allow them to fully compromise the server on
which an affected version of MySQL is running.

This advisory provides a (limited) Proof-Of-Concept MySQL exploit
which demonstrates how Remote Root Code Execution could be achieved by
attackers.
Full PoC (which works on default installations without the need for
the attacker to find writable config files) will be provided later on
to give users a chance to react to this advisory as the issue has not
been patched by all the
affected vendors yet despite efforts.

The exploitation is interesting in the way that it involves an
oldschool LD_PRELOAD environment variable and that it targets a
service that doesn't
serve requests as root but could still be tricked to get root RCE when
restarted.
Might give you strange feelings when restarting mysql service the next time ;)

The advisory is available at:

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html


-- 
Regards,
Dawid Golunski
http://legalhackers.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC