MySQL has a high-risk vulnerability that can cause server root permissions to be stolen

Last week, a Polish hacker named Dawid Golunski discovered vulnerabilities in MySQL: a remote root code execution vulnerability and a privilege escalation vulnerability. At that time, Golunski only provided a proof of concept for the first vulnerability, but promised to reveal more details about the second vulnerability (CVE-2016-6663) later.

On Tuesday, Golunski announced PoC for two vulnerabilities: the first PoC targets a previous high-risk privilege escalation vulnerability, while the other PoC targets a new root privilege escalation vulnerability. Using this vulnerability, An attacker can gain access to the entire database.

Vulnerability number

CVE-2016-6663

CVE-2016-6664

Vulnerability affects

MySQL version

MySQL derivatives: Percona Server, MariaDB

Vulnerability introduction

Privilege escalation/race condition vulnerability (CVE-2016-6663)

The more serious of the two vulnerabilities released this week is the race condition vulnerability, which can allow a low-level A privileged account (with CREATE/INSERT/SELECT privileges) escalates privileges and executes arbitrary code as a system user.

Once the vulnerability is exploited, hackers can successfully obtain all databases in the database server.

Root privilege escalation (CVE-2016-6664)

Another vulnerability is the root privilege escalation vulnerability. This vulnerability allows an attacker with MySQL system user privileges to elevate privileges to root to further attack the entire system.

The reason for this problem is actually that MySQL's handling of error logs and other files is not secure enough. These files can be replaced with arbitrary system files and thus exploited to gain root privileges.

This vulnerability works better when used in conjunction with the privilege escalation vulnerability mentioned earlier - hackers first use the privilege escalation vulnerability (CVE-2016-6663) to promote ordinary users to system users, and then use the root privilege escalation vulnerability (CVE- 2016-6664) was further promoted to root user.

All these vulnerabilities can be exploited in a shared environment. In a shared environment, users can access separate databases. Through these vulnerabilities, hackers can gain access to all databases.

Vulnerability PoC

Golunski has released the PoC code for two vulnerabilities: Vulnerability 1 and Vulnerability 2.

MySQL has fixed both vulnerabilities and released patches in last month’s quarterly update.

Repair Solution

We strongly recommend that webmasters install the patch as soon as possible. If you cannot install the patch immediately, you can also use a temporary solution - turn off symbolic link support in the database server configuration (set symbolic-links in my.cnf = 0).