Welcome to WebmasterWorld Guest from 54.227.48.147

Forum Moderators: open

Message Too Old, No Replies

MySQL exploit gives root access to server

     
5:16 pm on Nov 3, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8562
votes: 245


Update your servers!

An attacker with a low-privileged account can also achieve root privilege by first exploiting the Privilege Escalation flaw (CVE-2016-6663) to become 'MySQL system user' and thus allow attackers to fully compromise the targeted server.
[thehackernews.com...]
7:46 pm on Nov 3, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1675
votes: 239


Thanks for the heads up. Went to update, but turns out I'm already running 5.5.53, which is apparently unaffected.
1:15 am on Nov 4, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8562
votes: 245


I was on 5.5.52 so I was okay too. I just updated to 5.5.53 as well.

Too late to edit my original post, but for the benefit of others...

Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks Percona Server and MariaDB.
7:20 am on Nov 5, 2016 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2938
votes: 24


Another security post here on WebmasterWorld where the title suggests much more than the real problem and the call to action "Update your servers!" is not applicable to the majority of the webmaster community.

First of all the attacker must be able to create tables on the MySQL server. Secondly the attacker must be able to change a file to a symbolic link to the root MySQL directory during the execution of a MySQL statement repair statement which needs accurate timing. In practice this will only be the case on machines with poorly setup shared hosting accounts where each of the users is not locked in their own directory tree. Those who are on shared hosting won't have the option to upgrade their MySQL implementation anyway.

Therefore the bug only applies to those businesses offering shared hosting on non-root-locked user accounts which are susceptible for many other attacks anyway and should be avoided by any decent webmaster.
12:38 pm on Nov 7, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1675
votes: 239


Sometimes it's easier to just patch the thing than to figure out whether or not you're actually at risk ;-)
6:12 pm on Nov 7, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2749
votes: 110


It looks like it affects MySQL forks (MariaDB and Percona) as well, so it must have been there a while. I hope they have been patched to.

Thanks, @lammert, you answered the questions I wanted to ask.
6:57 pm on Nov 7, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8562
votes: 245


Thanks lammert

I had not intended the title to be exaggerated, but the article on Hacker News said "An attacker with a low-privileged account can also achieve root privilege" so that sounded like a fire alarm. Which was probably their intent... click bait. My apologies for a mostly false alarm

I got hammered during Drupageddon. I should have updated immediately, but I decided to wait a bit. But then most drupal installs got hacked in the first day... and it was a burn down the server affair.