lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <31656452-1680-13ed-1e9e-a347bd9aa463@qcsec.com>
Date: Tue, 13 Sep 2016 12:27:29 +0200
From: Mark Koek <mark.koek@...ec.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2016-6662 - MySQL Remote Root Code Execution /
 Privilege Escalation ( 0day )

Well, 'remote root'...  The PoC asks for a working MySQL user name and 
password.

And I don't really get how that account can re-set the logfile location 
without SUPER privileges?

Am I wrong in thinking that this is really "just" a MySQL admin -> root 
privilege escalation? Don't get me wrong, still a very nice exploit, but...


Mark


On 11-09-16 08:47, Dawid Golunski wrote:
> Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day
> CVE: CVE-2016-6662
> Severity: Critical
> Affected MySQL versions (including the latest):
> <= 5.7.15
> <= 5.6.33
> <= 5.5.52
>
> Discovered by:
> Dawid Golunski
> http://legalhackers.com
>
> An independent research has revealed multiple severe MySQL vulnerabilities.
> This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662.
> The vulnerability affects MySQL servers in all version branches
> (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by
> both local and remote attackers.
> Both the authenticated access to MySQL database (via network
> connection or web interfaces such as phpMyAdmin) and SQL Injection
> could be used as exploitation vectors.
>
> Successful exploitation could allow attackers to execute arbitrary code with
> root privileges which would then allow them to fully compromise the server on
> which an affected version of MySQL is running.
>
> This advisory provides a (limited) Proof-Of-Concept MySQL exploit
> which demonstrates how Remote Root Code Execution could be achieved by
> attackers. Full PoC will be provided later on to give users a chance
> to react to this exploit as the issue has not been patched by all the
> affected vendors yet despite efforts.
>
> The exploitation is interesting in the way that it involves an
> oldschool LD_PRELOAD environment variable and that it targets a
> service that doesn't
> serve requests as root but could still be tricked to get root RCE when
> restarted.
> Might give you strange feelings when restarting mysql service the next time ;)
>
> The advisory is available at:
>
> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt
>
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ