Date: Mon, 14 Nov 2016 14:36:16 -0200 From: Dawid Golunski <dawid@...alhackers.com> To: oss-security@...ts.openwall.com Subject: MySQL / MariaDB / Percona - Root Privilege Escalation Exploit [ CVE-2016-6664 / CVE-2016-5617 ] Vulnerability: MySQL / MariaDB / PerconaDB - Root Privilege Escalation CVE-2016-6664 / (Oracle)CVE-2016-5617 Discovered by: Dawid Golunski (@dawid_golunski) https://legalhackers.com MySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user (for example through CVE-2016-6663) to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files. Affected versions: MySQL <= 5.5.51 <= 5.6.32 <= 5.7.14 MariaDB All current Percona Server < 5.5.51-38.2 < 5.6.32-78-1 < 5.7.14-8 Percona XtraDB Cluster < 5.6.32-25.17 < 5.7.14-26.17 < 5.5.41-37.0 The latest / up-to-date advisory and a PoC exploit can be found at: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html A copy of the advisory/exploit is also attached to this message. PoC Video (showing the rootshell part towards the end) is at: http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html Attacker will need to obtain mysql account first which could be gained with the other exploit (CVE-2016-6663) I discovered: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html More updates on the feed: https://twitter.com/dawid_golunski -- Regards, Dawid Golunski https://legalhackers.com t: @dawid_golunski View attachment "MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.txt" of type "text/plain" (17665 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ