Date: Wed, 19 Oct 2016 06:13:14 -0200 From: Dawid Golunski <dawid@...alhackers.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) Hi Gsunde, I'll be posting updates on these issues and some PoC shortly via: http://legalhackers.com/ or my twitter: https://twitter.com/dawid_golunski You may want to check back soon. Thanks for the heads up. -- Regards, Dawid Golunski http://legalhackers.com On Tue, Oct 18, 2016 at 6:56 PM, Gsunde Orangen <gsunde.orangen@...il.com> wrote: > Dawid meanwhile updated his post  to reflect that the fixes for > CVE-2016-6662 were added in 5.5.52/5.6.33/5.7.15. > ... But today Oracle states that those versions were still affected , > thus the fix releases are 5.5.53/5.6.34/5.7.16. > > So which one is correct? Based on the changelogs I assume . > > And btw, Dawid: what happened with CVE-2016-6663? Still not public yet? > > Gsunde > >  > http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html >  > http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL > > On 12.09.2016, 16:45 Fried Wil wrote: >> Hi Dawid, >> >> Affected MySQL versions (including the latest): >> <= 5.7.15 >> <= 5.6.33 >> <= 5.5.52 >> >> Is your issue related to MySQL bugids fixed in 5.5.52/5.6.33/5.7.15 ? >> >> https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html >> Changes in MySQL 5.5.52 (2016-09-06): >> - For mysqld_safe, the argument to --malloc-lib now must be one of the >> directories /usr/lib, /usr/lib64, /usr/lib/i386-linux-gnu, or >> /usr/lib/x86_64-linux-gnu. In addition, the --mysqld and >> --mysqld-version options can be used only on the command line and not >> in an option file. (Bug #24464380) >> - Privilege escalation was possible by exploiting the way REPAIR TABLE >> used temporary files. (Bug #24388746) >> - It was possible to write log files ending with .ini or .cnf that >> later could be parsed as option files. The general query log and slow >> query log can no longer be written to a file ending with .ini or .cnf. >> (Bug #24388753) >> >> Thanks >> >> >> On Mon, Sep 12, 2016 at 6:58 AM, Dawid Golunski <dawid@...alhackers.com> wrote: >>> Hi Alexander, >>> >>> I was just going to reply to your email you sent earlier. >>> Thanks for the feedback. I actually updated the introduction after your email. >>> The advisory focuses on CVE-2016-6662 vulnerability which lets users >>> to modify/create my.cnf files. A fix would prevent users from writing >>> to my.cnf config. >>> >>> And yes there's a typo in the last paragraph made after a few >>> sleepless nights ;) I've fixed it now. >>> >>> The CVE-2016-6663 is not public yet. I refer to it in the advisory to >>> give some heads up in case someone wanted to discard this issue based >>> on reasoning that FILE privs are not common and that they will never >>> be pwned etc. It'll soon be published then it'll be clear what this >>> CVEID is about ;) >>> >>> Cheers. >>> >>> >>> >>> On Mon, Sep 12, 2016 at 7:35 AM, Solar Designer <solar@...nwall.com> wrote: >>>> On Mon, Sep 12, 2016 at 06:09:10AM -0300, Dawid Golunski wrote: >>>>> Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day >>>>> CVE: CVE-2016-6662 >>>>> Severity: Critical >>>>> Affected MySQL versions (including the latest): >>>>> <= 5.7.15 >>>>> <= 5.6.33 >>>>> <= 5.5.52 >>>> >>>>> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html >>>> >>>> Thank you for posting this. For archival, and to comply with >>>> oss-security content guidelines, I am attaching a text/plain version of >>>> the above advisory (which includes a lot of detail not in your posting). >>>> >>>> Also, to add detail on the disclosure timeline: Dawid brought this to >>>> the distros list yesterday (Sunday). >>>> >>>> As I had pointed out in a reply on distros, it is not entirely clear >>>> what exact issue the CVE-2016-6662 identifier is for. The advisory >>>> talks about multiple sysadmin practices, packaging issues, dangerous >>>> features of MySQL, and finally of safe_mysqld including the data >>>> directory in its search path for my.cnf. I guess it would be most >>>> reasonable to have the CVE ID refer only to the latter aspect, but >>>> confirmation/clarification is needed. As it is, it's unclear from the >>>> advisory what exact "vulnerabilities were patched by PerconaDB and >>>> MariaDB vendors" (the advisory says so), and it is unclear what Oracle >>>> and distros "fixing" CVE-2016-6662 would mean. >>>> >>>> Also, in this paragraph I guess the advisory wanted to refer to the >>>> upcoming CVE-2016-6663 (I have no idea what that issue is, beyond what >>>> the advisory says), like it does in a few other places: >>>> >>>> "It is worth to note that attackers could use one of the other vulnerabilities discovered >>>> by the author of this advisory which has been assigned a CVEID of CVE-2016-6662 and is >>>> pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to >>>> create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege >>>> requirement." >>>> >>>> Alexander >>> >>> >>> >>> -- >>> Regards, >>> Dawid Golunski >>> http://legalhackers.com >> >> >> >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ