Well, 'remote root'... The PoC asks for a working MySQL user name and password. And I don't really get how that account can re-set the logfile location without SUPER privileges? Am I wrong in thinking that this is really "just" a MySQL admin -> root privilege escalation? Don't get me wrong, still a very nice exploit, but... Mark On 11-09-16 08:47, Dawid Golunski wrote: > Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day > CVE: CVE-2016-6662 > Severity: Critical > Affected MySQL versions (including the latest): > <= 5.7.15 > <= 5.6.33 > <= 5.5.52 > > Discovered by: > Dawid Golunski > http://legalhackers.com > > An independent research has revealed multiple severe MySQL vulnerabilities. > This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662. > The vulnerability affects MySQL servers in all version branches > (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by > both local and remote attackers. > Both the authenticated access to MySQL database (via network > connection or web interfaces such as phpMyAdmin) and SQL Injection > could be used as exploitation vectors. > > Successful exploitation could allow attackers to execute arbitrary code with > root privileges which would then allow them to fully compromise the server on > which an affected version of MySQL is running. > > This advisory provides a (limited) Proof-Of-Concept MySQL exploit > which demonstrates how Remote Root Code Execution could be achieved by > attackers. Full PoC will be provided later on to give users a chance > to react to this exploit as the issue has not been patched by all the > affected vendors yet despite efforts. > > The exploitation is interesting in the way that it involves an > oldschool LD_PRELOAD environment variable and that it targets a > service that doesn't > serve requests as root but could still be tricked to get root RCE when > restarted. > Might give you strange feelings when restarting mysql service the next time ;) > > The advisory is available at: > > http://ift.tt/2c43oEh > >
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment