CVE-2016-6664
published 2016-12-13CVE-2016-6664: mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before…
PriorityP341high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
3.08%
86.0th percentile
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 0 < 10.1.21-r0 | 10.1.21-r0 |
| mariadb | mariadb | >= 10.0.0 < 10.0.29 | 10.0.29 |
| mariadb | mariadb | >= 10.1.0 < 10.1.21 | 10.1.21 |
| mariadb | mariadb | >= 5.5.0 < 5.5.54 | 5.5.54 |
| msrc | cbl_mariner_1.0_arm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html↗
- →Monitor for symlink creation from the MySQL error log path pointing to /etc/ld.so.preload — a key step in the CVE-2016-6664 privilege escalation chain. ↗
- →Alert on unexpected writes to /etc/ld.so.preload by the mysql OS user, which is used to inject a malicious shared library for privilege escalation. ↗
- →Detect creation of SUID shell backdoor at /tmp/mysqlrootsh owned by root — indicates successful exploitation. ↗
- →Detect presence of /tmp/privesclib.so or /tmp/privesclib.c on disk, which are artefacts of the exploit's shared library compilation step. ↗
- →Detect mysqld process being killed by the mysql user account (killall mysqld) immediately followed by /etc/ld.so.preload creation — a sign of active exploitation. ↗
- →Monitor for a MyISAM table (exploit_table) being created with an external DATA DIRECTORY pointing to /tmp/mysql_privesc_exploit, which is the race-condition setup step. ↗
- ·The CVE-2016-6664 fix was found to be incomplete; CVE-2017-3312 tracks the remaining flaw in mysqld_safe error log handling. Systems patched only for CVE-2016-6664 may still be vulnerable. ↗
- ·On RedHat-based systems the exploit may require using a public directory other than /tmp (e.g. /uploads) for the exploit working directory. ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
vendor_redhat·2017-01-17·CVSS 7.0
CVE-2017-3312 [HIGH] mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.7 (Confidentiality, Integrity and Availability impacts).
Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The
Microsoft
mysqld_safe in Oracle MySQL through 5.5.51 5.6.x through 5.6.32 and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2 5.6.x before 5.6.32-78-1 and 5.7.x before 5.7.14-8; and Percona Xtr
vendor_msrc·2016-12-13·CVSS 7.0
CVE-2016-6664 [HIGH] CWE-59 mysqld_safe in Oracle MySQL through 5.5.51 5.6.x through 5.6.32 and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2 5.6.x before 5.6.32-78-1 and 5.7.x before 5.7.14-8; and Percona Xtr
mysqld_safe in Oracle MySQL through 5.5.51 5.6.x through 5.6.32 and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2 5.6.x before 5.6.32-78-1 and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0 5.6.x before 5.6.32-25.17 and 5.7.x before 5.7.14-26.17 when using file-based logging allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries
Red Hat
mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
vendor_redhat·2016-10-19·CVSS 7.0
CVE-2016-6664 [HIGH] mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root.
Package: mysql55-mysql (Red Hat Enterprise Linux 5) - Will not fix
Package: mysql (Red
GHSA
GHSA-f9x4-3x96-w2vf: mysqld_safe in Oracle MySQL through 5
ghsa_unreviewed·2022-05-13
CVE-2016-6664 [HIGH] CWE-59 GHSA-f9x4-3x96-w2vf: mysqld_safe in Oracle MySQL through 5
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
OSV
CVE-2016-6664: mysqld_safe in Oracle MySQL through 5
osv·2016-12-13·CVSS 7.0
CVE-2016-6664 [HIGH] CVE-2016-6664: mysqld_safe in Oracle MySQL through 5
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
No detection rules found.
Exploit-DB
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation
exploitdb·2016-11-01·CVSS 9.8
CVE-2016-6664 [CRITICAL] MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation
---
#!/bin/bash -p
#
# Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh
#
# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
# mysql-chowned.sh (ver. 1.0)
#
# CVE-2016-6664 / OCVE-2016-5617
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# This PoC exploit allows attackers to (instantly) escalate their privileges
# from mysql system account to root through unsafe error log handling.
# The exploit requires that file-based loggi
Exploit-DB
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
exploitdb·2016-11-01·CVSS 7.0
CVE-2016-6663 [HIGH] MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
---
/*
Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / OCVE-2016-5616
Discovered/Coded by:
Dawid Golunski
dawid[at]legalhackers.com
https://legalhackers.com
Follow https://twitter.com/dawid_golunski for updates on this advisory.
Compile:
gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient
Note:
* On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads)
*
arXiv
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
arxiv_fulltext·2018-03-24
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
Extended Abstract: Mimicry Resilient Program Behavior Modeling \ LSTM based Branch Models
Hayoon Yi11,
Gyuwan Kim1,21,
Jangho Lee1,
Sunwoo Ahn1,
Younghan Lee1,
Sungroh Yoon12,
Yunheung Paek12
1Dept. of Electrical and Computer Engineering, Seoul National University
2Search Solutions, Inc
Email: hyyi,kgwmath,ubuntu,swahn,yhlee,sryoon,[email protected]
1: Equal Contribution,
2: Corresponding Author
## Abstract
In the software design, protecting a computer system from a plethora of software attacks or malware in the wild has been increasingly important. One branch of research to detect the existence of attacks or malware, there has been much work focused on modeling the runtime behavior of a program. Stemming from the seminal work of Forrest et al., one of the main tools to model program
Bugzilla
CVE-2017-3312 mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
bugzilla·2017-01-17·CVSS 7.0
CVE-2017-3312 [HIGH] CVE-2017-3312 mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
CVE-2017-3312 mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
MySQL versions 5.5.52, 5.6.33, and 5.7.15 corrected a flaw in the way error log file was handled by mysqld_safe script. The issue allows mysql system user to escalate their privileges to root, and got two CVE ids assigned - CVE-2016-6664 and CVE-2016-5617 - see bug 1386564.
The original fix was applied as part of the patch for another issue - CVE-2016-6662:
https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c
The fix attempted to prevent script from using touch/chown/chmod on the configured log file if it was a symbolic link. This fix was found to be incomplete and having the following issues:
- Fix was racy, and the race was quite easy to
Bugzilla
CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
bugzilla·2016-10-19·CVSS 7.0
CVE-2016-5617 [HIGH] CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
Reference:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL
Discussion:
Created mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1386608]
---
Created community-mysql tracking bugs for this issue:
Affects: fedora-a
http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.htmlhttp://packetstormsecurity.com/files/139491/MySQL-MariaDB-PerconaDB-Root-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2130.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2749.htmlhttp://seclists.org/fulldisclosure/2016/Nov/4http://www.debian.org/security/2017/dsa-3770http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/archive/1/539695/100/0/threadedhttp://www.securityfocus.com/bid/93612https://access.redhat.com/errata/RHSA-2017:2192https://access.redhat.com/errata/RHSA-2018:0279https://access.redhat.com/errata/RHSA-2018:0574https://security.gentoo.org/glsa/201702-18https://www.exploit-db.com/exploits/40679/https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.htmlhttp://packetstormsecurity.com/files/139491/MySQL-MariaDB-PerconaDB-Root-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2130.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2749.htmlhttp://seclists.org/fulldisclosure/2016/Nov/4http://www.debian.org/security/2017/dsa-3770http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/archive/1/539695/100/0/threadedhttp://www.securityfocus.com/bid/93612https://access.redhat.com/errata/RHSA-2017:2192https://access.redhat.com/errata/RHSA-2018:0279https://access.redhat.com/errata/RHSA-2018:0574https://security.gentoo.org/glsa/201702-18https://www.exploit-db.com/exploits/40679/https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/
2016-12-13
Published