0x00 漏洞影响
mysql 5.5、5.6、5.7 在10月份更新前的所有版本,包括分支版本MariaDB和PerconaDB 。
0x01 利用途径
通过远程数据库连接,web接口如phpMyAdmin,以及sql注入都可以完成。
0x02 漏洞原理
一些默认的mysql安装方式并且mysqld_safe脚本作为包装器以root权限启动mysql服务进程,比如像:
service mysql start
/etc/init.d/mysql start
ps aux | grep mysql以后你会发现mysqld_safe是以root权限运行,而mysql的主进程被降为了mysql用户,其中mysqld_safe有如下代码:
----[ /usr/bin/mysqld_safe ]----
[...]
# set_malloc_lib LIB
# - If LIB is empty, do nothing and return
# - If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib
# then pkglibdir. tcmalloc is part of the Google perftools project.
# - If LIB is an absolute path, assume it is a malloc shared library
#
# Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when
# running mysqld. See ld.so for details.
set_malloc_lib() {
malloc_lib="$1"
if [ "$malloc_lib" = tcmalloc ]; then
pkglibdir=`get_mysql_config --variable=pkglibdir`
malloc_lib=
# This list is kept intentionally simple. Simply set --malloc-lib
# to a