Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Feb 2017 12:03:44 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: MySQL / MariaDB / Percona - Root Privilege
 Escalation Exploit [ CVE-2016-6664 / CVE-2016-5617 ]

Hi Tomas,

Yes, I have reported the insufficient fixes to Oracle and related vendors.

I wanted to allow some more time for patching before making these public.
I will make my advisories and exploits public soon.

Thanks.


On Fri, Feb 17, 2017 at 10:52 AM, Tomas Hoger <thoger@...hat.com> wrote:
> On Mon, 14 Nov 2016 14:36:16 -0200 Dawid Golunski wrote:
>
>> Vulnerability: MySQL / MariaDB / PerconaDB - Root Privilege Escalation
>> CVE-2016-6664 / (Oracle)CVE-2016-5617
>
> The original MySQL fix for this issue was quite incomplete and easy to
> bypass.  It had the following problems:
>
> - Symlink check was racy - it was easy to replace log file created by
>   touch by a symlink before chmod and chown was used.
>
> - You could avoid the symlink check completely by directly setting
>   log-error to the path name of the file you want to corrupt, such as:
>
>   log-error = /etc/ld.so.preload
>
> - Symlink check did not cover hardlinks (this is a variant of the
>   previous, sort of).
>
> - Existing symlinks were used even if they were not chmoded / chowned
>   any more, so it was possible to corrupt files with myslqd_safe's log
>   messages.
>
> I reported these problems to Oracle, and they assigned CVE-2017-3312
> for the incomplete fix.  They were addressed in the following commit:
>
> https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759
>
> Note that the commit pre-dates Oct 2016 CPU, when Oracle first
> mentioned CVE-2016-6664 / CVE-2016-5617 as fixed, but it was only
> included in MySQL 5.5.54, 5.6.35, and 5.7.17 released mid-Dec 2016, and
> hence listed in Jan 2017 CPU.  The fix also pre-dates my report.
>
> Dawid, I assume you were aware of these problems and reported them
> too.  You're acknowledged as a reporter of (at least) one of the issues
> in the Jan 2017 CPU:
>
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
>
> and also in Percona Server release notes:
>
> https://www.percona.com/doc/percona-server/LATEST/release-notes/Percona-Server-5.7.17-11.html
>
>   mysqld_safe now limits the use of rm and chown to avoid privilege
>   escalation. chown can now be used only for /var/log directory. Bug
>   fixed #1660265. Thanks to Dawid Golunski (https://legalhackers.com).
>
> Linked Percona bug is not public, but the above text matches MySQL
> commit linked above.
>
> As Oracle is refusing to publicly share any information about their
> CVEs, can you, Dawid, provide information on what CVE or CVEs were
> given to you by Oracle in response to your reports, and for what
> issues?  If you've not received that information yet, would you mind
> asking?  I suspect you may have some info to share on CVE-2017-3317 and
> CVE-2017-3318.
>
>
> Besides the above, I also reported the following issues.  CVEs below
> were assigned by Oracle.
>
>
> CVE-2017-3265 unsafe chmod/chown use in the init script
>
> https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97
> https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73
>
> These may allow mysql -> root privilege escalation similar to
> CVE-2016-6664.  Fixed in:
>
> https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975
>
>
> CVE-2017-3291 was assigned to two independent issues
>
> - unrestricted mysqld_safe's ledir
>
> By setting ledir to say /tmp in my.cnf, you could make mysqld_safe
> execute mysqld from there rather than some expected location
> under /usr.  Besides mysql -> root escalation, this also could have
> been used by non-mysql local users in combination with the
> CVE-2016-6662 issue against MySQL versions that do not support
> malloc-lib (e.g. MySQL 5.1).  Fixed in:
>
> https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea
>
> - insecure path use in mysqld_safe
>
> This code tries to find my_print_defaults command:
>
> https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466
>
> It first tries relative to $MY_BASEDIR_VERSION, which could have been
> set to $PWD:
>
> https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402
>
> If root ran mysqld_safe while their $PWD was /tmp, arbitrary code
> controlled by some unprivileged local (not necessarily mysql) user
> could have been executed.  This was fixed in:
>
> https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397
>
>
> There are few more related problems fixed in Jan 2017 CPU, but as noted
> above, Oracle refuses to acknowledge mapping to CVEs publicly.
>
> https://github.com/mysql/mysql-server/commit/76e9d7e5b30365e8b167e2070ee00f81cb115b8b
> https://github.com/mysql/mysql-server/commit/7a5145e445ee802241957eb5290a3e65ea4da70c
>
> --
> Tomas Hoger / Red Hat Product Security



-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ