CVE-2021-47761
📋 TL;DR
MilleGPG5 5.7.2 contains a local privilege escalation vulnerability where authenticated users can modify MariaDB service executable files. Attackers can replace mysqld.exe with malicious code that executes with SYSTEM privileges upon system restart. This affects systems running MilleGPG5 5.7.2 with MariaDB components.
💻 Affected Systems
- MilleGPG5
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with persistent SYSTEM-level backdoor installation, allowing complete control over the affected system and potential lateral movement.
Likely Case
Local authenticated attackers gain SYSTEM privileges, enabling installation of malware, data theft, or further network compromise.
If Mitigated
Limited to authenticated user compromise with proper file permissions preventing unauthorized file modifications.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 50558). Requires authenticated user access and ability to modify files in MariaDB bin directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.3 or later
Vendor Advisory: https://millegpg.it/
Restart Required: Yes
Instructions:
1. Download latest version from official MilleGPG5 website. 2. Uninstall vulnerable version. 3. Install updated version. 4. Restart system to ensure clean state.
🔧 Temporary Workarounds
Restrict MariaDB bin directory permissions
windowsSet strict file permissions on MariaDB bin directory to prevent unauthorized modifications.
icacls "C:\Program Files\MariaDB\bin" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)C"
icacls "C:\Program Files\MariaDB\bin\mysqld.exe" /inheritance:r /grant:r "SYSTEM:F" "Administrators:F" /deny "Users:C"
Monitor file integrity of mysqld.exe
allImplement file integrity monitoring to detect unauthorized changes to MariaDB executables.
🧯 If You Can't Patch
- Remove write permissions for non-administrative users from MariaDB bin directory
- Implement application whitelisting to prevent execution of unauthorized binaries from MariaDB directory
🔍 How to Verify
Check if Vulnerable:
Check MilleGPG5 version: Open MilleGPG5 application and navigate to Help > About. If version is 5.7.2, system is vulnerable.Check Version:
Not applicable - check via application GUIVerify Fix Applied:
Verify version is 5.7.3 or later in Help > About. Check file permissions on MariaDB bin directory show proper restrictions.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing file modifications in MariaDB bin directory
- Unexpected process execution with SYSTEM privileges from MariaDB directory
Network Indicators:
- Unusual outbound connections from mysqld.exe process
- Network traffic patterns inconsistent with normal MariaDB operations
SIEM Query:
EventID=4663 AND ObjectName LIKE '%MariaDB%bin%' AND Accesses='WriteData' OR EventID=4688 AND NewProcessName LIKE '%MariaDB%bin%mysqld.exe%'