A new MySQL vulnerability is out. It allows remote code execution with root privilege. The exploitation is interesting in the way that it involves an oldschool LD_PRELOAD environment variable and that it targets a service that doesn’t
serve requests as root but could still be tricked to get root RCE when restarted.
Might give you strange feelings when restarting mysql service the next time 😉
Q How Critical is it?
It can allow attacker to take full control over your database.
Q When is the vulnerability reported?
29th July 2016
Q Is there a CVE alloted?
CVE – 2016-6662 & CVE-2016-6663. (But nothing can be found there yet.)
Q What are the affected Versions?
All verions of MySQL including latest version, also affected MariaDB and PerconaDB.
Q Is there a patch for it?
MariaDB and PerconaDB have launched there patches but oracle hasn’t released any patch yet and will may update patch on 18th Oct 2016.
Q How to exploit it?
It can be exploited by injecting malicious settings into MySQL configuration files or create your own malicious MySQL configuration file.
The flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin)
Even SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service won’t help.
Q So where is the loophole?
The security flaw is in the mysqld_safe script that is used as a wrapper by many MySQL default packages or installations to start the MySQL service process.
The mysqld_safe wrapper script is executed as root, and the primary mysqld process drops its privilege level to MySQL user.
Q Any solution or mitigation?
The person who found this vulnerability said :
As temporary mitigation, users should ensure that no MySQL config files are owned by the mysql user, and create root-owned dummy my.cnf files that are not in use.
An update by MySQL has been secretly published and went unnoticed…. and can be found here… https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
Below is the link to original document given by researcher “Dawid Golunski”