Date: Fri, 17 Feb 2017 12:03:44 -0200 From: Dawid Golunski <dawid@...alhackers.com> To: Tomas Hoger <thoger@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: MySQL / MariaDB / Percona - Root Privilege Escalation Exploit [ CVE-2016-6664 / CVE-2016-5617 ] Hi Tomas, Yes, I have reported the insufficient fixes to Oracle and related vendors. I wanted to allow some more time for patching before making these public. I will make my advisories and exploits public soon. Thanks. On Fri, Feb 17, 2017 at 10:52 AM, Tomas Hoger <thoger@...hat.com> wrote: > On Mon, 14 Nov 2016 14:36:16 -0200 Dawid Golunski wrote: > >> Vulnerability: MySQL / MariaDB / PerconaDB - Root Privilege Escalation >> CVE-2016-6664 / (Oracle)CVE-2016-5617 > > The original MySQL fix for this issue was quite incomplete and easy to > bypass. It had the following problems: > > - Symlink check was racy - it was easy to replace log file created by > touch by a symlink before chmod and chown was used. > > - You could avoid the symlink check completely by directly setting > log-error to the path name of the file you want to corrupt, such as: > > log-error = /etc/ld.so.preload > > - Symlink check did not cover hardlinks (this is a variant of the > previous, sort of). > > - Existing symlinks were used even if they were not chmoded / chowned > any more, so it was possible to corrupt files with myslqd_safe's log > messages. > > I reported these problems to Oracle, and they assigned CVE-2017-3312 > for the incomplete fix. They were addressed in the following commit: > > https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759 > > Note that the commit pre-dates Oct 2016 CPU, when Oracle first > mentioned CVE-2016-6664 / CVE-2016-5617 as fixed, but it was only > included in MySQL 5.5.54, 5.6.35, and 5.7.17 released mid-Dec 2016, and > hence listed in Jan 2017 CPU. The fix also pre-dates my report. > > Dawid, I assume you were aware of these problems and reported them > too. You're acknowledged as a reporter of (at least) one of the issues > in the Jan 2017 CPU: > > http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html > > and also in Percona Server release notes: > > https://www.percona.com/doc/percona-server/LATEST/release-notes/Percona-Server-5.7.17-11.html > > mysqld_safe now limits the use of rm and chown to avoid privilege > escalation. chown can now be used only for /var/log directory. Bug > fixed #1660265. Thanks to Dawid Golunski (https://legalhackers.com). > > Linked Percona bug is not public, but the above text matches MySQL > commit linked above. > > As Oracle is refusing to publicly share any information about their > CVEs, can you, Dawid, provide information on what CVE or CVEs were > given to you by Oracle in response to your reports, and for what > issues? If you've not received that information yet, would you mind > asking? I suspect you may have some info to share on CVE-2017-3317 and > CVE-2017-3318. > > > Besides the above, I also reported the following issues. CVEs below > were assigned by Oracle. > > > CVE-2017-3265 unsafe chmod/chown use in the init script > > https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97 > https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73 > > These may allow mysql -> root privilege escalation similar to > CVE-2016-6664. Fixed in: > > https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975 > > > CVE-2017-3291 was assigned to two independent issues > > - unrestricted mysqld_safe's ledir > > By setting ledir to say /tmp in my.cnf, you could make mysqld_safe > execute mysqld from there rather than some expected location > under /usr. Besides mysql -> root escalation, this also could have > been used by non-mysql local users in combination with the > CVE-2016-6662 issue against MySQL versions that do not support > malloc-lib (e.g. MySQL 5.1). Fixed in: > > https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea > > - insecure path use in mysqld_safe > > This code tries to find my_print_defaults command: > > https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466 > > It first tries relative to $MY_BASEDIR_VERSION, which could have been > set to $PWD: > > https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402 > > If root ran mysqld_safe while their $PWD was /tmp, arbitrary code > controlled by some unprivileged local (not necessarily mysql) user > could have been executed. This was fixed in: > > https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397 > > > There are few more related problems fixed in Jan 2017 CPU, but as noted > above, Oracle refuses to acknowledge mapping to CVEs publicly. > > https://github.com/mysql/mysql-server/commit/76e9d7e5b30365e8b167e2070ee00f81cb115b8b > https://github.com/mysql/mysql-server/commit/7a5145e445ee802241957eb5290a3e65ea4da70c > > -- > Tomas Hoger / Red Hat Product Security -- Regards, Dawid Golunski https://legalhackers.com t: @dawid_golunski
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ