Full Disclosure mailing list archives
Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
From: Mark Koek <mark.koek () qcsec com>
Date: Tue, 13 Sep 2016 12:27:29 +0200
Well, 'remote root'... The PoC asks for a working MySQL user name and password.
And I don't really get how that account can re-set the logfile location without SUPER privileges?
Am I wrong in thinking that this is really "just" a MySQL admin -> root privilege escalation? Don't get me wrong, still a very nice exploit, but...
Mark On 11-09-16 08:47, Dawid Golunski wrote:
Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day CVE: CVE-2016-6662 Severity: Critical Affected MySQL versions (including the latest): <= 5.7.15 <= 5.6.33 <= 5.5.52 Discovered by: Dawid Golunski http://legalhackers.com An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662. The vulnerability affects MySQL servers in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors. Successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running. This advisory provides a (limited) Proof-Of-Concept MySQL exploit which demonstrates how Remote Root Code Execution could be achieved by attackers. Full PoC will be provided later on to give users a chance to react to this exploit as the issue has not been patched by all the affected vendors yet despite efforts. The exploitation is interesting in the way that it involves an oldschool LD_PRELOAD environment variable and that it targets a service that doesn't serve requests as root but could still be tricked to get root RCE when restarted. Might give you strange feelings when restarting mysql service the next time ;) The advisory is available at: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Dawid Golunski (Sep 12)
- Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Mark Koek (Sep 15)
- <Possible follow-ups>
- Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Dawid Golunski (Sep 27)
- Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Mark Koek (Sep 27)
- Message not available
- Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Mark Koek (Sep 27)
- Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Mark Koek (Sep 27)