By Suraj Sahu (Vulnerability Research Engineer) and Rahul Kumar (Vulnerability Research Engineer)
Earlier this week, an independent researcher publicly disclosed a severe vulnerability in MySQL. This is a very popular open-source DBMS which is used by many organizations to manage their backend databases and websites. Proof of concept code was provided as part of the disclosure.
This particular vulnerability was designated as CVE-2016-6662, one of two serious flaws that the researcher found. This vulnerability allows an attacker to create the MySQL configuration file without having the privileges to do so, effectively taking over the server. The other assigned as CVE-2016-6663 has not yet been disclosed.
How would an attacker exploit this flaw?
There are two remote vectors that can be used to carry out this attack.
- Via an existing SQL injection vulnerability. An attacker can use this to modify the msyqld configuration file or run arbitrary remote code on the database server.
- Using the credentials of an authorized user on the MySQL server. This vulnerability could be used to elevate the privileges of the said user.
What’s the vulnerability (CVE-2016-6662)?
There are multiple ways to start a MySQL server. mysqld is the most commonly used daemon, but there is another startup script: mysqld_safe, which is the recommended way to start MySQL server on non-Windows operating systems. As the name implies, mysqld_safe adds some safety features that includes restarting the server when an error occurs and logging runtime information to an error log. mysqld_saf.
This file takes many options similar to those accepted by mysqld. One option —malloc-lib=LIB—can be used to preload a shared library before starting the server. This parameter can be specified in the MySQL configuration file (my.cnf) in a “[mysqld]” or “[mysqld_safe]” section with the parameter name malloc_lib.
Figure 1. malloc-lib option
The problem lies with the privileges that the mysqld_safe script runs with: it executes as the root user. If an attacker can inject a path pointing to their malicious library in the configuration file, then this library will also be preloaded when MySQL starts—with root privileges.
Figure 2. Executing the library
The researcher demonstrated ways to achieve just this, defeating the restrictions imposed on a normal MySQL user.
An attacker with limited access (SELECT/FILE) permissions can create and define the TRIGGER for a database table. When the attacker accesses this table to run any DML (Data Manipulation Language) statement, TRIGGER’s code will be executed with root privileges. This allows a user with fewer privileges to modify the settings as needed.
Figure 3. Defining a TRIGGER
MySQL Versions 5.7.15 and below, 5.6.33, and 5.5.22 are reported affected. As of publishing, Oracle has not yet released any patch.
Trend Micro Solutions
Trend Micro Deep Security™ provides protection to users via the following rule which was released to users via update DSRU16-026 which was released on September 13, 2016:
- 1007950 – Oracle MySQL Remote Code Execution Vulnerability (CVE-2016-6662)
The generic rules against SQL injection protect against the primary attack vector:
- 1000608 – Generic SQL Injection Prevention
- 1005613 – Generic SQL Injection Prevention
TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:
- 42268: MySQL: Oracle MySQL Logging Code Injection Vulnerability
