Vigil@nce - MySQL: privilege escalation via my.cnf malloc_lib
November 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the logging feature to create a special
my.cnf file, to force MySQL to load a malicious library, in order
to escalate his privileges.
Impacted products: Debian, Fedora, MariaDB precise, MySQL
Community, MySQL Enterprise, openSUSE, openSUSE Leap, Percona
Server, XtraDB Cluster, RHEL, Slackware, SUSE Linux Enterprise
Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Creation date: 12/09/2016.
DESCRIPTION OF THE VULNERABILITY
The MySQL product allows users to specify a log file:
set global general_log_file = ’/home/user/logfile’;
Moreover, the /etc/my.cnf configuration file can contain a
"malloc_lib" directive to change allocation libraries.
However, an attacker can define /etc/my.cnf as its
general_log_file, and generate an error containing the string
"malloc_lib=/tmp/malicious.so".
A local attacker can therefore use the logging feature to create a
special my.cnf file, to force MySQL to load a malicious library,
in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/MySQL-privilege-escalation-via-my-cnf-malloc-lib-20580