• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   CVE-2016-6662 Advisory: Recent MySQL Code Execution/Privilege Escalation Zero-Day Vulnerability

CVE-2016-6662 Advisory: Recent MySQL Code Execution/Privilege Escalation Zero-Day Vulnerability

  • Posted on:September 14, 2016 at 2:15 pm
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Trend Micro
0

By Suraj Sahu (Vulnerability Research Engineer) and Rahul Kumar (Vulnerability Research Engineer)

Earlier this week, an independent researcher publicly disclosed a severe vulnerability in MySQL. This is a very popular open-source DBMS which is used by many organizations to manage their backend databases and websites. Proof of concept code was provided as part of the disclosure.

This particular vulnerability was designated as CVE-2016-6662, one of two serious flaws that the researcher found. This vulnerability allows an attacker to create the MySQL configuration file without having the privileges to do so, effectively taking over the server. The other assigned as CVE-2016-6663 has not yet been disclosed.

How would an attacker exploit this flaw?

There are two remote vectors that can be used to carry out this attack.

  1. Via an existing SQL injection vulnerability. An attacker can use this to modify the msyqld configuration file or run arbitrary remote code on the database server.
  2. Using the credentials of an authorized user on the MySQL server. This vulnerability could be used to elevate the privileges of the said user.

What’s the vulnerability (CVE-2016-6662)?

There are multiple ways to start a MySQL server. mysqld is the most commonly used daemon, but there is another startup script: mysqld_safe, which is the recommended way to start MySQL server on non-Windows operating systems. As the name implies, mysqld_safe adds some safety features that includes restarting the server when an error occurs and logging runtime information to an error log. mysqld_saf. 

This file takes many options similar to those accepted by mysqld. One option —malloc-lib=LIB—can be used to preload a shared library before starting the server. This parameter can be specified in the MySQL configuration file (my.cnf) in a “[mysqld]” or “[mysqld_safe]” section with the parameter name malloc_lib.

Figure 1. malloc-lib option

The problem lies with the privileges that the mysqld_safe script runs with: it executes as the root user. If an attacker can inject a path pointing to their malicious library in the configuration file, then this library will also be preloaded when MySQL starts—with root privileges.

Figure 2. Executing the library

The researcher demonstrated ways to achieve just this, defeating the restrictions imposed on a normal MySQL user.

An attacker with limited access (SELECT/FILE) permissions can create and define the TRIGGER for a database table. When the attacker accesses this table to run any DML (Data Manipulation Language) statement, TRIGGER’s code will be executed with root privileges. This allows a user with fewer privileges to modify the settings as needed.

Figure 3. Defining a TRIGGER

MySQL Versions 5.7.15 and below, 5.6.33, and 5.5.22 are reported affected. As of publishing, Oracle has not yet released any patch.

Trend Micro Solutions

Trend Micro Deep Security™ provides protection to users via the following rule which was released to users via update DSRU16-026 which was released on September 13, 2016:

  • 1007950 – Oracle MySQL Remote Code Execution Vulnerability (CVE-2016-6662)

The generic rules against SQL injection protect against the primary attack vector:

  • 1000608 – Generic SQL Injection Prevention
  • 1005613 – Generic SQL Injection Prevention

TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:

  • 42268: MySQL: Oracle MySQL Logging Code Injection Vulnerability
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CVE-2016-6662My SQLvulnerability

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.