主要是CVE-2016-6662這個漏洞,最先公告的地方是這網站
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt
簡中版
http://bobao.360.cn/learning/detail/3027.html
影響範圍
MySQL <= 5.7.14 Remote Root Code Execution / Privilege Escalation (0day)
5.6.32
5.5.51
MySQL clones are also affected, including:
MariaDB
PerconaDB
但底下的III. INTRODUCTION寫了
The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.
看起來是全系列都受影響,但測試舊版的rhel6 mysql、rhel5 mysql發現並無my.cnf內沒有mysqld_safe的相關設定,所以只影響到新版包含使用mysql source code fork出去的資料庫
基本上漏洞使用的方式就是分2種
1、有帳號
使用此漏洞可以修改my.cnf,可以控制my.cnf
2、沒帳號
使用trigger,讓mysql在flush時觸發後提權帳號,再控制my.cnf
暫態解法
https://www.psce.com/blog/2016/09/12/how-to-quickly-patch-mysql-server-against-cve-2016-6662/
https://dev.mysql.com/doc/refman/5.5/en/mysqld-safe.html#option_mysqld_safe_malloc-lib
https://github.com/percona/percona-server/commit/c14be53e029442f576cced1fb8ff96b58e89f2e0#diff-144aa2f11374843c969d96b7b84247eaR261
暫時性可以用的解法在mysql官方還沒正式更新前,就是用github裡的方式,指定可以載入lib的目錄,非這些目錄的不可以載入
http://bobao.360.cn/learning/detail/3026.html
http://www.ithome.com.tw/news/108454
http://avfisher.win/archives/tag/mysql
http://avfisher.win/archives/tag/mysql
http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py
沒有留言:
張貼留言