| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Sep 2016 12:27:29 +0200 From: Mark Koek <mark.koek@...ec.com> To: fulldisclosure@...lists.org Subject: Re: [FD] CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Well, 'remote root'... The PoC asks for a working MySQL user name and password. And I don't really get how that account can re-set the logfile location without SUPER privileges? Am I wrong in thinking that this is really "just" a MySQL admin -> root privilege escalation? Don't get me wrong, still a very nice exploit, but... Mark On 11-09-16 08:47, Dawid Golunski wrote: > Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day > CVE: CVE-2016-6662 > Severity: Critical > Affected MySQL versions (including the latest): > <= 5.7.15 > <= 5.6.33 > <= 5.5.52 > > Discovered by: > Dawid Golunski > http://legalhackers.com > > An independent research has revealed multiple severe MySQL vulnerabilities. > This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662. > The vulnerability affects MySQL servers in all version branches > (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by > both local and remote attackers. > Both the authenticated access to MySQL database (via network > connection or web interfaces such as phpMyAdmin) and SQL Injection > could be used as exploitation vectors. > > Successful exploitation could allow attackers to execute arbitrary code with > root privileges which would then allow them to fully compromise the server on > which an affected version of MySQL is running. > > This advisory provides a (limited) Proof-Of-Concept MySQL exploit > which demonstrates how Remote Root Code Execution could be achieved by > attackers. Full PoC will be provided later on to give users a chance > to react to this exploit as the issue has not been patched by all the > affected vendors yet despite efforts. > > The exploitation is interesting in the way that it involves an > oldschool LD_PRELOAD environment variable and that it targets a > service that doesn't > serve requests as root but could still be tricked to get root RCE when > restarted. > Might give you strange feelings when restarting mysql service the next time ;) > > The advisory is available at: > > http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists