Date: Fri, 17 Feb 2017 13:52:45 +0100 From: Tomas Hoger <thoger@...hat.com> To: Dawid Golunski <dawid@...alhackers.com> Cc: oss-security@...ts.openwall.com Subject: Re: MySQL / MariaDB / Percona - Root Privilege Escalation Exploit [ CVE-2016-6664 / CVE-2016-5617 ] On Mon, 14 Nov 2016 14:36:16 -0200 Dawid Golunski wrote: > Vulnerability: MySQL / MariaDB / PerconaDB - Root Privilege Escalation > CVE-2016-6664 / (Oracle)CVE-2016-5617 The original MySQL fix for this issue was quite incomplete and easy to bypass. It had the following problems: - Symlink check was racy - it was easy to replace log file created by touch by a symlink before chmod and chown was used. - You could avoid the symlink check completely by directly setting log-error to the path name of the file you want to corrupt, such as: log-error = /etc/ld.so.preload - Symlink check did not cover hardlinks (this is a variant of the previous, sort of). - Existing symlinks were used even if they were not chmoded / chowned any more, so it was possible to corrupt files with myslqd_safe's log messages. I reported these problems to Oracle, and they assigned CVE-2017-3312 for the incomplete fix. They were addressed in the following commit: https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759 Note that the commit pre-dates Oct 2016 CPU, when Oracle first mentioned CVE-2016-6664 / CVE-2016-5617 as fixed, but it was only included in MySQL 5.5.54, 5.6.35, and 5.7.17 released mid-Dec 2016, and hence listed in Jan 2017 CPU. The fix also pre-dates my report. Dawid, I assume you were aware of these problems and reported them too. You're acknowledged as a reporter of (at least) one of the issues in the Jan 2017 CPU: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html and also in Percona Server release notes: https://www.percona.com/doc/percona-server/LATEST/release-notes/Percona-Server-5.7.17-11.html mysqld_safe now limits the use of rm and chown to avoid privilege escalation. chown can now be used only for /var/log directory. Bug fixed #1660265. Thanks to Dawid Golunski (https://legalhackers.com). Linked Percona bug is not public, but the above text matches MySQL commit linked above. As Oracle is refusing to publicly share any information about their CVEs, can you, Dawid, provide information on what CVE or CVEs were given to you by Oracle in response to your reports, and for what issues? If you've not received that information yet, would you mind asking? I suspect you may have some info to share on CVE-2017-3317 and CVE-2017-3318. Besides the above, I also reported the following issues. CVEs below were assigned by Oracle. CVE-2017-3265 unsafe chmod/chown use in the init script https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97 https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73 These may allow mysql -> root privilege escalation similar to CVE-2016-6664. Fixed in: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975 CVE-2017-3291 was assigned to two independent issues - unrestricted mysqld_safe's ledir By setting ledir to say /tmp in my.cnf, you could make mysqld_safe execute mysqld from there rather than some expected location under /usr. Besides mysql -> root escalation, this also could have been used by non-mysql local users in combination with the CVE-2016-6662 issue against MySQL versions that do not support malloc-lib (e.g. MySQL 5.1). Fixed in: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea - insecure path use in mysqld_safe This code tries to find my_print_defaults command: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466 It first tries relative to $MY_BASEDIR_VERSION, which could have been set to $PWD: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402 If root ran mysqld_safe while their $PWD was /tmp, arbitrary code controlled by some unprivileged local (not necessarily mysql) user could have been executed. This was fixed in: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397 There are few more related problems fixed in Jan 2017 CPU, but as noted above, Oracle refuses to acknowledge mapping to CVEs publicly. https://github.com/mysql/mysql-server/commit/76e9d7e5b30365e8b167e2070ee00f81cb115b8b https://github.com/mysql/mysql-server/commit/7a5145e445ee802241957eb5290a3e65ea4da70c -- Tomas Hoger / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.