Announcement

Collapse
No announcement yet.

MySQL Hit By "Critical" Remote Code Execution 0-Day

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • MySQL Hit By "Critical" Remote Code Execution 0-Day

    Phoronix: MySQL Hit By "Critical" Remote Code Execution 0-Day

    The latest high-profile open-source software project having a bad security day is MySQL... MySQL 5.5/5.6/5.7 has a nasty zero-day vulnerability...

    http://www.phoronix.com/scan.php?pag...SQL-Crit-0-Day

  • #2

    [quote]MySQL clones are also affected, including: MariaDB PerconaDB[/url] Clones? Really? They are forks. Seriously. WTF are LegalHackers to use that crappy use of language?

    Comment


    • #3
      MySQL is crappy shit!

      Comment


      • #4
        In these days, having logical access to mysql is a security breach in itself. As mysql these days should be placed on an application dedicated virtual machine, surrounded by simpe firewalls, the fact that a hacker already can reach it is bad. I would be a lot more worried if someone found yet another Proxy: bug, or an authentication/authorisation web hack. Of course privilege escalations should always be fixed.

        Comment


        • #5
          Originally posted by phoronix View Post
          Phoronix: MySQL Hit By "Critical" Remote Code Execution 0-Day

          The latest high-profile open-source software project having a bad security day is MySQL... MySQL 5.5/5.6/5.7 has a nasty zero-day vulnerability...

          http://www.phoronix.com/scan.php?pag...SQL-Crit-0-Day
          Fortunately most distros have mysql configured out of the box to listen on localhost only, or via unix socket. Sorry, black hats, looks like the joke is on you...

          Comment


          • #6
            The article on legalhackers is very interesting. There are multiple bugs here, but the most critical one is privilege escalation to root, because the mysql_safe wrapper script does stupid things before dropping root privileges.

            Which once again proves why it is a bad idea to have an init system that relies on a bunch of fragile bash scripts. On systemd, the privilege escalation is defeated by these three lines in the mysql.service file:
            Code:
            [Service]
            User=mysql
            Group=mysql
            Now whatever other bugs are in mysql will surely allow anyone able to submit SQL querys (either by having authenticated access or via sql injection) to do bad things to my database, but thanks to a proper init system, they don't become root. Awesome!

            Comment


            • #7
              This 0-day is open for both local and remote attackers and could come via authenticated access to a MySQL database (including web UI administration panels)
              Uh? Is it possible to use this exploit against phpmyadmin, even if mysql listens only to localhost?
              ## VGA ##
              AMD: X1950XTX, HD3870, HD5870
              Intel: GMA45, HD3000 (Core i5 2500K)

              Comment


              • #8
                Yes because this exploit is writing files with SQL statements creating a new config file on the server and a shared library that will be loaded as root when mysql starts. So it doesn't matter how you connect as long as you have SQL access to the database.

                Comment


                • #9
                  Originally posted by david_lynch View Post

                  Fortunately most distros have mysql configured out of the box to listen on localhost only, or via unix socket. Sorry, black hats, looks like the joke is on you...
                  Well, unless you run some kind of internet application that downloads and executes scripts locally, like a browser for instance.

                  Comment


                  • #10
                    Originally posted by rohcQaH View Post
                    On systemd, the privilege escalation is defeated by these three lines in the mysql.service file:
                    Code:
                    [Service]
                    User=mysql
                    Group=mysql
                    No! Don't break the phoronix anti-systemd clickbait circle***k! Too much cognitive dissonance!

                    Comment

                    Working...
                    X