Announcement

**timofonic** · 12 September 2016, 04:44 PM

[quote]MySQL clones are also affected, including: MariaDB PerconaDB[/url] Clones? Really? They are forks. Seriously. WTF are LegalHackers to use that crappy use of language?

**chilek** · 12 September 2016, 04:48 PM

MySQL is crappy shit!

**Ardje** · 12 September 2016, 04:54 PM

In these days, having logical access to mysql is a security breach in itself. As mysql these days should be placed on an application dedicated virtual machine, surrounded by simpe firewalls, the fact that a hacker already can reach it is bad. I would be a lot more worried if someone found yet another Proxy: bug, or an authentication/authorisation web hack. Of course privilege escalations should always be fixed.

**david_lynch** · 12 September 2016, 04:57 PM

Originally posted by phoronix View Post

Phoronix: MySQL Hit By "Critical" Remote Code Execution 0-Day

The latest high-profile open-source software project having a bad security day is MySQL... MySQL 5.5/5.6/5.7 has a nasty zero-day vulnerability...

http://www.phoronix.com/scan.php?pag...SQL-Crit-0-Day

Fortunately most distros have mysql configured out of the box to listen on localhost only, or via unix socket. Sorry, black hats, looks like the joke is on you...

**rohcQaH** · 12 September 2016, 05:16 PM

The article on legalhackers is very interesting. There are multiple bugs here, but the most critical one is privilege escalation to root, because the mysql_safe wrapper script does stupid things before dropping root privileges.

Which once again proves why it is a bad idea to have an init system that relies on a bunch of fragile bash scripts. On systemd, the privilege escalation is defeated by these three lines in the mysql.service file:

Code:

[Service]
User=mysql
Group=mysql

Now whatever other bugs are in mysql will surely allow anyone able to submit SQL querys (either by having authenticated access or via sql injection) to do bad things to my database, but thanks to a proper init system, they don't become root. Awesome!

**darkbasic** · 12 September 2016, 05:35 PM

This 0-day is open for both local and remote attackers and could come via authenticated access to a MySQL database (including web UI administration panels)

Uh? Is it possible to use this exploit against phpmyadmin, even if mysql listens only to localhost?

**droste** · 12 September 2016, 06:18 PM

Yes because this exploit is writing files with SQL statements creating a new config file on the server and a shared library that will be loaded as root when mysql starts. So it doesn't matter how you connect as long as you have SQL access to the database.

**carewolf** · 12 September 2016, 06:58 PM

Originally posted by david_lynch View Post

Fortunately most distros have mysql configured out of the box to listen on localhost only, or via unix socket. Sorry, black hats, looks like the joke is on you...

Well, unless you run some kind of internet application that downloads and executes scripts locally, like a browser for instance.

**g1618058** · 12 September 2016, 07:14 PM

Originally posted by rohcQaH View Post

On systemd, the privilege escalation is defeated by these three lines in the mysql.service file:

Code:

[Service]
User=mysql
Group=mysql

No! Don't break the phoronix anti-systemd clickbait circle***k! Too much cognitive dissonance!

Announcement

MySQL Hit By "Critical" Remote Code Execution 0-Day

MySQL Hit By "Critical" Remote Code Execution 0-Day

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment