CVE-2016-6663
published 2016-12-13CVE-2016-6663: Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and…
PriorityP341high7CVSS 3.0
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
4.31%
89.9th percentile
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | >= 10.0.0 < 10.0.28 | 10.0.28 |
| mariadb | mariadb | >= 10.1.0 < 10.1.18 | 10.1.18 |
| mariadb | mariadb | >= 5.5.20 < 5.5.52 | 5.5.52 |
| oracle | mysql | — | — |
| oracle | mysql | 5.5.0 – 5.5.52 | — |
| oracle | mysql | 5.6.0 – 5.6.33 | — |
| oracle | mysql | 5.7.0 – 5.7.15 | — |
| percona | percona_server | >= 5.5 < 5.5.51-38.2 | 5.5.51-38.2 |
| percona | percona_server | >= 5.6 < 5.6.32-78.1 | 5.6.32-78.1 |
| percona | percona_server | >= 5.7 < 5.7.14-8 | 5.7.14-8 |
| percona | xtradb_cluster | >= 5.5 < 5.5.41-37.0 | 5.5.41-37.0 |
| percona | xtradb_cluster | >= 5.6 < 5.6.32-25.17 | 5.6.32-25.17 |
| percona | xtradb_cluster | >= 5.7 < 5.7.14-26.17 | 5.7.14-26.17 |
CVSS provenance
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
vendor_redhat·2016-09-12·CVSS 7.0
CVE-2016-6663 [HIGH] CWE-362 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary f
GHSA
GHSA-g76x-xjc6-4pgh: Race condition in Oracle MySQL before 5
ghsa_unreviewed·2022-05-14
CVE-2016-6663 [HIGH] CWE-362 GHSA-g76x-xjc6-4pgh: Race condition in Oracle MySQL before 5
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
OSV
CVE-2016-6663: Race condition in Oracle MySQL before 5
osv·2016-12-13·CVSS 7.0
CVE-2016-6663 [HIGH] CVE-2016-6663: Race condition in Oracle MySQL before 5
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
No detection rules found.
Exploit-DB
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation
exploitdb·2016-11-01·CVSS 9.8
CVE-2016-6664 [CRITICAL] MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation
---
#!/bin/bash -p
#
# Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh
#
# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
# mysql-chowned.sh (ver. 1.0)
#
# CVE-2016-6664 / OCVE-2016-5617
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# This PoC exploit allows attackers to (instantly) escalate their privileges
# from mysql system account to root through unsafe error log handling.
# The exploit requires that file-based loggi
Exploit-DB
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
exploitdb·2016-11-01·CVSS 7.0
CVE-2016-6663 [HIGH] MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
---
/*
Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / OCVE-2016-5616
Discovered/Coded by:
Dawid Golunski
dawid[at]legalhackers.com
https://legalhackers.com
Follow https://twitter.com/dawid_golunski for updates on this advisory.
Compile:
gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient
Note:
* On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads)
*
Exploit-DB
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation
exploitdb·2016-09-12·CVSS 9.8
CVE-2016-6662 [CRITICAL] MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation
---
#!/usr/bin/python
#
# MySQL / MariaDB / Percona - Remote Root Code Execution / PrivEsc PoC Exploit
# (CVE-2016-6662)
# 0ldSQL_MySQL_RCE_exploit.py (ver. 1.0)
#
# For testing purposes only. Do no harm.
#
# Discovered/Coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
#
# This is a limited version of the PoC exploit. It only allows appending to
# existing mysql config files with weak permissions. See V) 1) section of
# the advisory for details on this vector.
#
# Full PoC will be released at a later date, and will show how attackers could
# exploit the vulnerability on default installations of MySQL on systems with no
# writable my.cnf config files available.
#
# The upcoming advisory CVE-20
Bugzilla
mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016)
bugzilla·2016-10-19
[MEDIUM] mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016)
mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
External References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL
Discussion:
Created mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1386608]
---
Created community-mysql tracking bugs for this issue:
Affects: fedora
Bugzilla
CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
bugzilla·2016-10-19·CVSS 7.0
CVE-2016-5617 [HIGH] CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
Reference:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL
Discussion:
Created mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1386608]
---
Created community-mysql tracking bugs for this issue:
Affects: fedora-a
Bugzilla
CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
bugzilla·2016-09-23·CVSS 7.0
CVE-2016-5616 [HIGH] CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
Dawid Golunski, reporter of CVE-2016-6662 (bug 1375198), mentioned existence of a privilege escalation vulnerability which should allow a non-privileged database user without FILE permissions to escalate their privileges to database or system administrator. Quoting from the advisory for CVE-2016-6662:
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt
It could also be combined with CVE-2016-6663 vulnerability which will be released
shortly and could allow certain attackers to escalate their privileges to root
even without FILE privilege.
No further details are available at the moment.
Discussion:
This issue is now listed as
Bugzilla
CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
bugzilla·2016-09-12·CVSS 9.8
CVE-2016-6662 [CRITICAL] CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
A vulnerability in MySQL was found that allows:
1. injecting malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user)
2. creating new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on improper config permisions.
3. gaining access to logging functions (normally only available to MySQL admin users) to attackers with only SELECT/FILE permissions on all of the default_ MySQL installations and thus be in position to add/modify MySQL config files.
Public via:
http://seclists.org/oss-sec/2016/q3/481
Ext
arXiv
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
arxiv_fulltext·2018-03-24
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
Extended Abstract: Mimicry Resilient Program Behavior Modeling \ LSTM based Branch Models
Hayoon Yi11,
Gyuwan Kim1,21,
Jangho Lee1,
Sunwoo Ahn1,
Younghan Lee1,
Sungroh Yoon12,
Yunheung Paek12
1Dept. of Electrical and Computer Engineering, Seoul National University
2Search Solutions, Inc
Email: hyyi,kgwmath,ubuntu,swahn,yhlee,sryoon,[email protected]
1: Equal Contribution,
2: Corresponding Author
## Abstract
In the software design, protecting a computer system from a plethora of software attacks or malware in the wild has been increasingly important. One branch of research to detect the existence of attacks or malware, there has been much work focused on modeling the runtime behavior of a program. Stemming from the seminal work of Forrest et al., one of the main tools to model program
http://rhn.redhat.com/errata/RHSA-2016-2130.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2131.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2595.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2749.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2927.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2928.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0184.htmlhttp://seclists.org/fulldisclosure/2016/Nov/4http://www.openwall.com/lists/oss-security/2016/10/25/4http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/bid/92911http://www.securityfocus.com/bid/93614https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.htmlhttps://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.htmlhttps://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.htmlhttps://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-1.htmlhttps://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.htmlhttps://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/https://www.exploit-db.com/exploits/40678/https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/http://rhn.redhat.com/errata/RHSA-2016-2130.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2131.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2595.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2749.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2927.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2928.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0184.htmlhttp://seclists.org/fulldisclosure/2016/Nov/4http://www.openwall.com/lists/oss-security/2016/10/25/4http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/bid/92911http://www.securityfocus.com/bid/93614https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.htmlhttps://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.htmlhttps://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.htmlhttps://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-1.htmlhttps://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.htmlhttps://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/https://www.exploit-db.com/exploits/40678/https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/
2016-12-13
Published