Am 12.09.2016 um 21:40 schrieb Alex:
Not sure , based from http://news.softpedia.com/news/mysql-zero-day-allows-database-takeover-50821... , it says this:
"CVE-2016-6662 allows attackers to alter the my.conf file
where does the mysql user have that permissions?
and load third-party code that will be executed with root privileges
hwo should that be possible from a daemon runnign with a restricted user?
The second vulnerability Golunski discovered, which he didn't make public, is CVE-2016-6663. This is a variation of CVE-2016-6662, also leading to remote code execution under a root user"
don't matter, see above
On 9/12/2016 10:17 PM, Reindl Harald wrote:
Am 12.09.2016 um 20:25 schrieb Sergei Golubchik:
Hi, Alex!
On Sep 12, Alex wrote:
Hello,
In regards to this zero day remote exploit , it seems MariaDB is also affected. Percona seems to have released new versions out to fix this. Any news from MariaDB side ?
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-...
Yes, it was https://jira.mariadb.org/browse/MDEV-10465, fixed in 5.5.51, 10.0.27, 10.1.17, all released last month
thanks
but "MySQL-Exploit-Remote-Root-Code-Execution" is written by fools - how would a mysqld running as restricted user get root-privileges without any additional kernel-bug and who right in his mind is running mysqld as root where with port 3306 it donÄt need that privileges even for startup?
[root@srv-rhsoft:~]$ cat /usr/lib/systemd/system/mysqld.service [Unit] Description=MariaDB Database Before=postfix.service dovecot.service dbmail-imapd.service dbmail-lmtpd.service dbmail-pop3d.service dbmail-timsieved.service
[Service] Type=simple User=mysql Group=mysql ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --pid-file=/dev/null ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID Environment="LANG=en_GB.UTF-8" Restart=always RestartSec=1 TimeoutSec=300 LimitNOFILE=infinity LimitMEMLOCK=infinity OOMScoreAdjust=-1000 TasksMax=2048
PrivateTmp=yes PrivateDevices=yes NoNewPrivileges=yes CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module kcmp kexec_load keyctl lookup_dcookie mbind mount open_by_handle_at perf_event_open pivot_root process_vm_readv process_vm_writev ptrace request_key set_mempolicy swapoff swapon umount2 uselib vmsplice RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_INET AF_INET6 SystemCallArchitectures=x86-64
ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/var/lib ReadWriteDirectories=/var/lib/mysql