maria-discuss team mailing list archive

[Alex <imperialnetwork@xxxxxxxxx>]

Not sure , based from 
http://news.softpedia.com/news/mysql-zero-day-allows-database-takeover-508211.shtml 
, it says this:

"CVE-2016-6662 allows attackers to alter the my.conf file and load 
third-party code that will be executed with root privileges.
The second vulnerability Golunski discovered, which he didn't make 
public, is CVE-2016-6663. This is a variation of CVE-2016-6662, also 
leading to remote code execution under a root user"


On 9/12/2016 10:17 PM, Reindl Harald wrote:
> Am 12.09.2016 um 20:25 schrieb Sergei Golubchik:
> > Hi, Alex!
> >
> > On Sep 12, Alex wrote:
> > > Hello,
> > >
> > > In regards to this zero day remote exploit , it seems MariaDB is also
> > > affected. Percona seems to have released new versions out to fix this.
> > > Any news from MariaDB side ?
> > >
> > > http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html 
> >
> > Yes, it was https://jira.mariadb.org/browse/MDEV-10465,
> > fixed in 5.5.51, 10.0.27, 10.1.17, all released last month
>
> thanks
>
> but "MySQL-Exploit-Remote-Root-Code-Execution" is written by fools - 
> how would a mysqld running as restricted user get root-privileges 
> without any additional kernel-bug and who right in his mind is running 
> mysqld as root where with port 3306 it donÄt need that privileges even 
> for startup?
>
> [root@srv-rhsoft:~]$ cat /usr/lib/systemd/system/mysqld.service
> [Unit]
> Description=MariaDB Database
> Before=postfix.service dovecot.service dbmail-imapd.service 
> dbmail-lmtpd.service dbmail-pop3d.service dbmail-timsieved.service
>
> [Service]
> Type=simple
> User=mysql
> Group=mysql
> ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf 
> --pid-file=/dev/null
> ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
> Environment="LANG=en_GB.UTF-8"
> Restart=always
> RestartSec=1
> TimeoutSec=300
> LimitNOFILE=infinity
> LimitMEMLOCK=infinity
> OOMScoreAdjust=-1000
> TasksMax=2048
>
> PrivateTmp=yes
> PrivateDevices=yes
> NoNewPrivileges=yes
> CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE 
> CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SETGID 
> CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE
> SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime 
> delete_module fanotify_init finit_module get_mempolicy init_module 
> kcmp kexec_load keyctl lookup_dcookie mbind mount open_by_handle_at 
> perf_event_open pivot_root process_vm_readv process_vm_writev ptrace 
> request_key set_mempolicy swapoff swapon umount2 uselib vmsplice
> RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_INET AF_INET6
> SystemCallArchitectures=x86-64
>
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
> ReadOnlyDirectories=/var/lib
> ReadWriteDirectories=/var/lib/mysql
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp