Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Sep 2016 12:35:27 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )

On Mon, Sep 12, 2016 at 06:09:10AM -0300, Dawid Golunski wrote:
> Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day
> CVE: CVE-2016-6662
> Severity: Critical
> Affected MySQL versions (including the latest):
> <= 5.7.15
> <= 5.6.33
> <= 5.5.52

> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Thank you for posting this.  For archival, and to comply with
oss-security content guidelines, I am attaching a text/plain version of
the above advisory (which includes a lot of detail not in your posting).

Also, to add detail on the disclosure timeline: Dawid brought this to
the distros list yesterday (Sunday).

As I had pointed out in a reply on distros, it is not entirely clear
what exact issue the CVE-2016-6662 identifier is for.  The advisory
talks about multiple sysadmin practices, packaging issues, dangerous
features of MySQL, and finally of safe_mysqld including the data
directory in its search path for my.cnf.  I guess it would be most
reasonable to have the CVE ID refer only to the latter aspect, but
confirmation/clarification is needed.  As it is, it's unclear from the
advisory what exact "vulnerabilities were patched by PerconaDB and
MariaDB vendors" (the advisory says so), and it is unclear what Oracle
and distros "fixing" CVE-2016-6662 would mean.

Also, in this paragraph I guess the advisory wanted to refer to the
upcoming CVE-2016-6663 (I have no idea what that issue is, beyond what
the advisory says), like it does in a few other places:

"It is worth to note that attackers could use one of the other vulnerabilities discovered
by the author of this advisory which has been assigned a CVEID of CVE-2016-6662 and is
pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to
create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege
requirement."

Alexander

View attachment "MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt" of type "text/plain" (35918 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.