cbcvebase.
CVE-2016-6664
published 2016-12-13

CVE-2016-6664: mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before…

PriorityP341high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
3.08%
86.0th percentile
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 0 < 10.1.21-r010.1.21-r0
mariadbmariadb>= 10.0.0 < 10.0.2910.0.29
mariadbmariadb>= 10.1.0 < 10.1.2110.1.21
mariadbmariadb>= 5.5.0 < 5.5.545.5.54
msrccbl_mariner_1.0_arm

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/mysqlrootsh
path/tmp/privesclib.so
path/tmp/privesclib.c
path/etc/ld.so.preload
path/tmp/mysql_privesc_exploit
path/tmp/mysql_privesc_exploit/exploit_table.MYD
path/tmp/mysql_privesc_exploit/exploit_table.TMD
path/tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
filenamemysql-chowned.sh
filenamemysql-privesc-race.c
urlhttps://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
urlhttp://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh
commandln -s /etc/ld.so.preload $ERRORLOG
commandgcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
commandgrep -r syslog /etc/mysql
  • Monitor for symlink creation from the MySQL error log path pointing to /etc/ld.so.preload — a key step in the CVE-2016-6664 privilege escalation chain.
  • Alert on unexpected writes to /etc/ld.so.preload by the mysql OS user, which is used to inject a malicious shared library for privilege escalation.
  • Detect creation of SUID shell backdoor at /tmp/mysqlrootsh owned by root — indicates successful exploitation.
  • Detect presence of /tmp/privesclib.so or /tmp/privesclib.c on disk, which are artefacts of the exploit's shared library compilation step.
  • Detect mysqld process being killed by the mysql user account (killall mysqld) immediately followed by /etc/ld.so.preload creation — a sign of active exploitation.
  • Monitor for a MyISAM table (exploit_table) being created with an external DATA DIRECTORY pointing to /tmp/mysql_privesc_exploit, which is the race-condition setup step.
  • ·The CVE-2016-6664 fix was found to be incomplete; CVE-2017-3312 tracks the remaining flaw in mysqld_safe error log handling. Systems patched only for CVE-2016-6664 may still be vulnerable.
  • ·On RedHat-based systems the exploit may require using a public directory other than /tmp (e.g. /uploads) for the exploit working directory.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.