Date: Mon, 14 Nov 2016 14:27:36 -0200 From: Dawid Golunski <dawid@...alhackers.com> To: oss-security@...ts.openwall.com Subject: MySQL / MariaDB / Percona - Privilege Escalation / Race Condition Exploit [CVE-2016-6663 / CVE-2016-5616] Vulnerability: MySQL / MariaDB / Percona - Privilege Escalation / Race Condition CVE-2016-6663 / (Oracle) CVE-2016-5616 Discovered by: Dawid Golunski / https://legalhackers.com @dawid_golunski Affected versions: MariaDB < 5.5.52 < 10.1.18 < 10.0.28 MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 An independent research has revealed a race condition vulnerability which affects MySQl, MariaDB and PerconaDB databases. The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically 'mysql'). Successful exploitation would allow an attacker to gain full read/write access to all of the files (including configuration files) and databases belonging to the affected database server. The obtained level of access upon the exploitation, could be chained with the other privilege escalation vulnerabilities discovered by the author of this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges from mysql user to root user and thus allow attackers to fully compromise the target server. For the latest / up-to-date advisory visit: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html A copy of the full advisory is also attached to this message as per the oss-sec guidelines (for those who still use dial-up I guess... :) PoC Video showing the exploitation of the race in a matter of seconds to get mysql shell and gaining a rootshell from there: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html More updates on the feed: https://twitter.com/dawid_golunski -- Regards, Dawid Golunski https://legalhackers.com t: @dawid_golunski View attachment "MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt" of type "text/plain" (26525 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ