oss-sec mailing list archives
Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
From: Solar Designer <solar () openwall com>
Date: Mon, 12 Sep 2016 12:35:27 +0200
On Mon, Sep 12, 2016 at 06:09:10AM -0300, Dawid Golunski wrote:
Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day CVE: CVE-2016-6662 Severity: Critical Affected MySQL versions (including the latest): <= 5.7.15 <= 5.6.33 <= 5.5.52
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
Thank you for posting this. For archival, and to comply with oss-security content guidelines, I am attaching a text/plain version of the above advisory (which includes a lot of detail not in your posting). Also, to add detail on the disclosure timeline: Dawid brought this to the distros list yesterday (Sunday). As I had pointed out in a reply on distros, it is not entirely clear what exact issue the CVE-2016-6662 identifier is for. The advisory talks about multiple sysadmin practices, packaging issues, dangerous features of MySQL, and finally of safe_mysqld including the data directory in its search path for my.cnf. I guess it would be most reasonable to have the CVE ID refer only to the latter aspect, but confirmation/clarification is needed. As it is, it's unclear from the advisory what exact "vulnerabilities were patched by PerconaDB and MariaDB vendors" (the advisory says so), and it is unclear what Oracle and distros "fixing" CVE-2016-6662 would mean. Also, in this paragraph I guess the advisory wanted to refer to the upcoming CVE-2016-6663 (I have no idea what that issue is, beyond what the advisory says), like it does in a few other places: "It is worth to note that attackers could use one of the other vulnerabilities discovered by the author of this advisory which has been assigned a CVEID of CVE-2016-6662 and is pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement." Alexander
Attachment:
MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt
Description:
Current thread:
- CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Dawid Golunski (Sep 12)
- Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Solar Designer (Sep 12)