Message-ID: <CADSYzst6T_wRgrhgA6WOjT2TkVau3khpjA=ifrsGuvrUQcJ21w@mail.gmail.com>
Date: Fri, 4 Nov 2016 13:07:51 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com,
  bugs@...uritytracker.com
Subject: MySQL / MariaDB / PerconaDB - Root Privilege Escalation Exploit (
 CVE-2016-6664 / CVE-2016-5617 )

CVE-2016-6664 / (Oracle)CVE-2016-5617
Vulnerability: MySQL / MariaDB / PerconaDB - Root Privilege Escalation

Discovered by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com

MySQL-based databases including MySQL, MariaDB and PerconaDB are affected
by a privilege escalation vulnerability which can let attackers who have
gained access to mysql system user (for example through CVE-2016-6663)
to further escalate their privileges to root user allowing them to
fully compromise the system.
The vulnerability stems from unsafe file handling of error logs and other files.


Affected versions:

MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14

MariaDB
All current

Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8

Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0


The full up-to-date advisory and a PoC exploit can be found at:
https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

PoC Video showing the exploitation gaining rootshell:
http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html

attacker will need to obtain mysql account first which could be gained
with the other exploit (CVE-2016-6663) I discovered:
http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

More updates on the feed:
https://twitter.com/dawid_golunski


-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

Powered by blists - more mailing lists