lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADSYzssqMTF72pE7sZmT=knZRwg1=6u3RmG1_6bVeHHzSvaOMg@mail.gmail.com>
Date: Sun, 11 Sep 2016 03:47:38 -0300
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege
 Escalation ( 0day )

Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day
CVE: CVE-2016-6662
Severity: Critical
Affected MySQL versions (including the latest):
<= 5.7.15
<= 5.6.33
<= 5.5.52

Discovered by:
Dawid Golunski
http://legalhackers.com

An independent research has revealed multiple severe MySQL vulnerabilities.
This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662.
The vulnerability affects MySQL servers in all version branches
(5.7, 5.6, and 5.5) including the latest versions, and could be exploited by
both local and remote attackers.
Both the authenticated access to MySQL database (via network
connection or web interfaces such as phpMyAdmin) and SQL Injection
could be used as exploitation vectors.

Successful exploitation could allow attackers to execute arbitrary code with
root privileges which would then allow them to fully compromise the server on
which an affected version of MySQL is running.

This advisory provides a (limited) Proof-Of-Concept MySQL exploit
which demonstrates how Remote Root Code Execution could be achieved by
attackers. Full PoC will be provided later on to give users a chance
to react to this exploit as the issue has not been patched by all the
affected vendors yet despite efforts.

The exploitation is interesting in the way that it involves an
oldschool LD_PRELOAD environment variable and that it targets a
service that doesn't
serve requests as root but could still be tricked to get root RCE when
restarted.
Might give you strange feelings when restarting mysql service the next time ;)

The advisory is available at:

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt


-- 
Regards,
Dawid Golunski
http://legalhackers.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ