lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CADSYzsujXxQ6dnEkRYYG7Z0B7-sBtNtFaHYnK00yjRSzrFLGnQ@mail.gmail.com>
Date: Tue, 1 Nov 2016 08:45:57 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: [FD] MySQL / MariaDB / PerconaDB - Privilege Escalation / Race
 Condition Exploit [CVE-2016-6663 / OCVE-2016-5616]

CVE-2016-6663 / OCVE-2016-5616
Vulnerability: MySQL / MariaDB / PerconaDB - Privilege Escalation /
Race Condition

Discovered by:
Dawid Golunski
@dawid_golunski

http://legalhackers.com


Affected versions:

MariaDB
< 5.5.52
< 10.1.18
< 10.0.28

MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14

Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8

Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0


An independent research has revealed a race condition vulnerability which
affects MySQl, MariaDB and PerconaDB databases.
The vulnerability can allow a local system user with access to the affected
database in the context of a low-privileged account
(CREATE/INSERT/SELECT grants)
to escalate their privileges and execute arbitrary code as the database system
user (typically 'mysql').
Successful exploitation would allow an attacker to gain full read/write access
to all of the files (including configuration files) and databases belonging
to the affected database server.
The obtained level of access upon the exploitation, could be chained with
the other privilege escalation vulnerabilities discovered by the author of
this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges
from mysql user to root user and thus allow attackers to fully compromise the
target server.


The full up-to-date advisory and a PoC exploit can be found at:

http://legalhackers.com/advisories/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-OCVE-2016-5616-Exploit.html


PoC Video:

http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html



-- 
Regards,
Dawid Golunski
http://legalhackers.com
https://twitter.com/dawid_golunski

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ