Critical vulnerabilities, which affect MySQL, PerconaDB, and Maria DB and can lead to a full server compromise, were discovered by the security expert Dawid Golunski from Legal Hackers. The researchers say that attackers could use these flaws not only for server hacking buy also for root privilege escalation and arbitrary code execution.
This week, Golunski revealed more details about the vulnerabilities as well as the proof-of-concept exploits for two bugs. Both of the flaws affect MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier versions. Moreover, MySQL database forks, including Maria DB and Percona Server, are also affected.
The first one of the vulnerabilities, detected as CVE-2016-6663, is a privilege escalation/race condition flaw. It could be exploited by a local attacker to execute arbitrary code and escalate his privileges.
“The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically ‘mysql‘).” – states the security advisory published on legalhackers.com – “Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server.”
Golunski also adds that the attacked server could be completely compromised if the attacker chains the bug with the two other privilege escalation flaws – CVE-2016-6662 and CVE-2016-6664. Both of the Golunski discovered in September this year.
The second vulnerability, tracked as CVE-2016-6663, is a root privilege escalation one and it can be exploited along with the race condition flaw.
“MySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to MySQL system user to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files.” – reads the security advisory.
The vulnerability resides in the way error logs and other files are managed. The error.log file executes file operations, which are not safe and attackers can exploit and replace them with an arbitrary system file.