CVE-2 0 1 6-6 6 6 2: Mysql remote code execution/privilege escalation technical analysis the official version of 9/1 3 Update-bug warning-the black bar safety net

ID MYHACK58:62201679125
Type myhack58
Reporter 苦逼司马
Modified 2016-09-13T00:00:00


I. VULNERABILITY MySQL 5.6.33 5.5.52 Clone mysql similarly affected, including: MariaDB PerconaDB II. INTRODUCTION An independent research organization found that more severe Mysql vulnerability, the briefing is among the more serious a vulnerability, CVE-2 0 1 6-6 6 6 2, which allows an attacker to remotely inject malicious set to the attack server the Mysql configuration file(my. cnf), lead to more serious consequences. The vulnerability affects all default configuration of the Mysql version branch(5.7 and 5.6, and 5.5), including the latest version, and may be the attacker to be local or remote use. exp both can be connected through a network or using a similar phpmyadmin like web management tools, as well asSQL injectionvulnerabilities, etc. SQL injectionvulnerabilities in the web applications of the most Common Vulnerabilities one of, in the presence of injection vulnerabilities, an attacker can tie CVE-2 0 1 6-6 6 6 2 For more in-depth invasion. If the attacked server has to run the affected mysql versions, the attack with the vulnerability of EXP can with root privileges execute arbitrary code, and thus complete control of the attack Server. The current official also did not provide for the vulnerability of the patch, even if the server turn on SELinux security mode, it will also be the vulnerability Exp impact. The briefing provided behind one of the vulnerabilities of the Poc, demo how could an attacker to achieve remote code execution. III. DESCRIPTION The default Mysql installation package comes with the mysql_safe script, start the mysql server it can be observed, for example, if for mysql full update. The Debian system: root@debian:~# lsb_release-a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.5 (jessie) Release: 8.5 Codename: jessie root@debian:~# dpkg-l | grep-i mysql-server ii mysql-server 5.5.50-0+deb8u1 ii mysql-server-5.5 5.5.50-0+deb8u1 ii mysql-server-core-5.5 5.5.50-0+deb8u1 By running the following command to start Mysql(using the default Debian archive provided by the package installation) root@debian:~# service mysql start Or use the following ways to start: root@debian:~# /etc/init. d/mysql start The Mysql service the process tree looks as follows: root 1 4 9 6 7 0.0 0.1 4 3 4 0 1 5 8 8 ? S 0 6:4 1 0:0 0 /bin/sh /usr/bin/mysqld_safe mysql 1 5 3 1 4 1.2 4.7 5 5 8 1 6 0 4 7 7 3 6 ? Sl 0 6:4 1 0:0 0 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error. log --pid-file=/var/run/mysqld/mysqld. pid --socket=/var/run/mysqld/mysqld. sock --port=3 3 0 6 As can be seen, the mysqld_safe wrapper script is root access start, and the main mysqld process with lower permissions of the mysql user to start. mysqld_safe wrapper script has the following features : \ ----[ /usr/bin/mysqld_safe]---- [...]

set_malloc_lib LIB

- If LIB is empty, do nothing and return

- If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib

then pkglibdir. tcmalloc is part of the Google perftools project.

- If LIB is an absolute path, assume it is a malloc shared library

Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when

the running mysqld. See ld. so for details.

set_malloc_lib() { malloc_lib="$1" if [ "$malloc_lib" = tcmalloc ]; then pkglibdir=get_mysql_config --variable=pkglibdir malloc_lib=

This list is kept intentionally simple. Simply set --malloc-lib

to a full path if another location is desired.

for libdir in /usr/lib "$pkglibdir" "$pkglibdir/mysql"; do for flavor in _minimal " _and_profiler _debug; do tmp="$libdir/libtcmalloc$flavor. so"

log_notice "DEBUG: Checking for malloc lib '$tmp'"

[ -r "$tmp" ] || continue malloc_lib="$tmp" break 2 done done [...] ----------[ eof]--------------- It can be used to start the service before loading the shared library, the library file by the following parameter settings: --malloc-lib=LIB This parameter can also be in the mysqld configuration file is specified(my. cnf) in[mysqld]or[mysqld_safe]section. If the attacker can be a malicious library file path is inserted into the configuration file, you can load any library, when the mysql service is restarted(manually, system update, package update, system reboot, etc.), you can with root privileges execute arbitrary code. 2 0 0 3 published in a mysql 3.23.55 previous version of the vulnerability allows an attacker to use a simple statement to create the mysql configuration file: SELECT * INFO OUTFILE '/var/lib/mysql/my. cnf' This vulnerability is repaired, use the outfile query to create the file by default is no way to overwrite the existing file, so you can protect the existing configuration file. The vulnerability has been in the mysql 3.23.55 version of the Fix, write the configuration file have counted impossible. However, the POC proved that it is possible to use the Mysql log feature(the default installation of mysql)to bypass the current limits, to achieve the following objectives: 1, into a malicious configuration file to an existing mysql configuration file, the premise is to configure the file permissions are improperly configured, the configuration file belongs to the user is the mysql user and the mysql user has the configuration file write permissions; and 2, in the mysql data directory, create a new configuration file, by default install mysql while mysql user default for this directory is writable permissions, and therefore does not need to rely on improper permissions configuration. 3, By default installation of mysql, the attacker only with the select query file privilege can access the log function the function is usually available only to the mysql administrative user, so the attacker can be in a position to add to modify the configuration file.

[1] [2] [3] [4] [5] [6] next