[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Tags added: testcase -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/578922 Title: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1
---
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low
* Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
with newer kernels (LP: #660077)
NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
to be adjusted when 2 separately confined applications that both use the
user-tmp abstraction depend on being able to cooperatively share files
with each other in /tmp or /var/tmp.
* remove the following patches (features not appropriate for SRU):
- 0002-add-chromium-browser.patch
- 0003-local-includes.patch
- 0004-ubuntu-abstractions-updates.patch
* debian/rules (this makes it the same as what was shipped in 10.04 LTS
release):
- don't ship aa-update-browser and its man page (requires
0004-ubuntu-abstractions-updates.patch)
- don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
- don't use dh_apparmor (not in Ubuntu 10.04 LTS)
- don't ship chromium profile
* remove debian/profiles/chromium-browser
* remove debian/aa-update-browser*
* debian/apparmor-profiles.postinst: revert to that in lucid release
(requires dh_apparmor and 0002-add-chromium-browser.patch)
* remove debian/apparmor-profiles.postrm: doesn't make sense without
0002-add-chromium-browser.patch
* debian/control:
- revert Build-Depends on debhelper (>= 5)
- revert Standards-Version to 3.8.4
- revert Vcs-Bzr
- use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
* debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
back into dbus, since profiles on 10.04 LTS expect it there
* debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
be there
apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low
* New upstream release (LP: #660077)
- The following patches were refreshed:
+ 0001-fix-release.patch
+ 0003-local-includes.patch
+ 0004-ubuntu-abstractions-updates.patch
+ 0008-lp648900.patch: renamed as 0005-lp648900.patch
- The following patches were dropped (included upstream):
+ 0005-lp601583.patch
+ 0006-network-interface-enumeration.patch
+ 0007-gnome-updates.patch
* debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
* debian/patches/0007-honor-cflags.patch: have the parser makefile honor
CFLAGS environment variable. Brings back missing symbols for the retracer
* debian/patches/0008-lp652674.patch: fix warnings for messages without
denied or requested masks (LP: #652674)
* debian/apparmor.init: fix path to aa-status (LP: #654841)
* debian/apport/source_apparmor.py: apport hook should use
root_command_hook() for running apparmor_status (LP: #655529)
* debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
cmdline details (LP: #657091)
* debian/{rules,control}: move apache2 abstractions into the base package
so we can put apache2 profiles into the -profiles package without
aa-logprof bailing out. Patch by Marc Deslauriers.
(LP: #539441)
* debian/patches/0009-sensible-browser-pix.patch: use Pix with
sensible-browser
* debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if
the AppArmor securityfs introspection directory is not mounted, as
is the case on Ubuntu buildds.
apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low
* abstractions/ubuntu-email: adjustment for ever-changing thunderbird path
(LP: #648900)
apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low
[ Jamie Strandboge ]
* New upstream RC release (revision 1413). In addition to getting the tools
to work with the maverick kernel, this update fixes:
- LP: #619521
- LP: #633369
- LP: #626451
- LP: #581525
- LP: #623467 (link and unlink still need to be addressed)
* Dropped the following patches, included upstream:
- 0002-lp615177.patch
- 0004-ubuntu-pux.patch
- 0006-kde4-config-pux.patch
- 0007-lp605835.patch
- 0012-lp625041.patch
- 0013-lp623586.patch
* Update the following patches:
- rename 0010-fix-release.patch as 0001-fix-release.patch since this will
likely always need to be here
- rename 0005-add-chromium-browser.patch as
0002-add-chromium-browser.patch
- rename 0001-local-includes.patch as 0003-local-includes.patch and update
to use r1493 (from trunk) of local/README file. This can be dropped in
2.6.
- collect the ubuntu abstractions updates pulled from trunk into
0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6.
- rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped
in 2.5.1 final.
* fix up some lintian warnings:
- debian/cont
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Tags added: verification-donee ** Tags removed: verification-needed ** Tags added: verification-done ** Tags removed: verification-donee -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. https://bugs.launchpad.net/bugs/578922 Title: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
Upgraded to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed and this issue is resolved. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. https://bugs.launchpad.net/bugs/578922 Title: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: apparmor (Ubuntu Lucid) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. https://bugs.launchpad.net/bugs/578922 Title: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Description changed:
+ SRU Justification (apparmor)
+
+ 1. impact of the bug is medium for stable releases. While no
+ applications shipped in Ubuntu are directly affected by this, it would
+ be good if our LTS release provided a more secure user-tmp abstraction
+ for people deploying new profiles on Ubuntu 10.04 LTS.
+
+ 2. This has been addressed during the maverick development cycle.
+
+ 3. Patch is small. It places 'owner' in front of /tmp/** and /var/tmp/**
+ as well as requiring 'owner' for @{HOME}/tmp/ and its files and
+ subdirectories.
+
+ 4. TEST CASE:
+ $ cp /usr/share/example-content/Kubuntu_leaflet.jpg /tmp
+ $ sudo chown root:root /tmp/Kubuntu_leaflet.jpg
+ $ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
+ $ firefox /tmp/Kubuntu_leaflet.jpg
+
+ At this point, firefox will not display the image and something like the
following should be in dmesg:
+ [ 1298.220693] type=1503 audit(1288797298.697:138): operation="open" pid=2948
parent=2944 profile="/usr/lib/firefox-3.6.12/firefox-*bin" requested_mask="::r"
denied_mask="::r" fsuid=1000 ouid=0 name="/tmp/Kubuntu_leaflet.jpg"
+
+ 5. This will regress if a confined application tries to access files
+ owned by another user in /tmp (indeed, that is the protection we want ;)
+ and when someone confines two different applications that a) run under
+ differing user ids and b) interact with each other by one writing to
+ /tmp and the other reading that file from /tmp. I imagine that there are
+ very few users who would be affected by this. On the desktop, the evince
+ profile is affected at all by this change because it explicitly allows
+ read access to any files with an extension that it has support for.
+ Firefox's profile is disabled by default.
+
+ This is a change requiring the most testing and thought. I maintain it
+ is an important proactive fix for Lucid. It has been in maverick for
+ several months with no reported regressions once we decided on the right
+ approach. Once in -proposed, I plan to run the QRT tests on all AppArmor
+ confined applications in Lucid to verify no regressions.
+
+
Binary package hint: apparmor
I have reported this to the CERT/Bugtraq system so you may have been
contacted by them. It was a large bug report so something may have
fallen though the cracks.
The problem is AppArmor rule sets do not adequately protect a LAMP
environment from attacks. Exploit code has been written which bypasses
AppAmoror rule sets to obtain remote code execution. The exploit can
be obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt).
The attack scenario:
Back before AppArmor it was common to see sql injection attacks against
PHP/MySQL like this:
Vulnerable code:
Exploit:
http://localhost/sql_inj.php?id=0 union select "" into
outfile "/var/www/backdoor.php"
AppArmor stops this attack, which is impressive. However, there is a
flaw in this security system. In my exploit i am dropping the file in
"/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to
execute this php file. The problem is that BOTH MySQL and Apache have
access to /tmp/. The line "#include " in the
usr.sbin.mysqld is the source of the vulnerability. The patch is very
simple, mysql should have its own tmp folder that only the mysqld
process has access to.
This whole concept of process separation to prevent attacks is
completely undermined by creating "unions" between processes in the
form of these header files. In fact every time you see an #include in an
app armor rule set, its a point of weakness.I hope to give a
another killer blackhat/defcon talk, this time i am talking about about
my exploit and these abuses against apparmor.
Thanks,
Michael Brooks.
--
mysql configuration should be adjusted to help prevent against chained attacks
against LAMP stack
https://bugs.launchpad.net/bugs/578922
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
SRU Justification (apparmor)
1. impact of the bug is medium for stable releases. While no
applications shipped in Ubuntu are directly affected by this, it would
be good if our LTS release provided a more secure user-tmp abstraction
for people deploying new profiles on Ubuntu 10.04 LTS.
2. This has been addressed during the maverick development cycle.
3. Patch is small. It places 'owner' in front of /tmp/** and /var/tmp/**
as well as requiring 'owner' for @{HOME}/tmp/ and its files and
subdirectories.
4. TEST CASE:
$ cp /usr/share/example-content/Kubuntu_leaflet.jpg /tmp
$ sudo chown root:root /tmp/Kubuntu_leaflet.jpg
$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
$ firefox /tmp/Kubuntu_leaflet.jpg
At this point, firefox will not display the image and something like the
following should be in dmesg:
[ 1298.220693] type=1503 audit(1288797298.697:138): operation="open" pid=2948
parent=2944 profile="/usr/lib/firefox-3.6.12/firefox-*bin" requested_mask="::r"
denied_mask="::r" fsuid=1000 ouid=0 name="/tmp/Kubuntu_leaflet.jpg"
5. This will regress if a confined application tries to access files
owned by another user in /tmp (indeed, that is the protection we want ;)
and when someone confines two different applications that a) run under
differing user ids and b) interact with each other by one writing to
/tmp and the other reading that file from /tmp. I imagine that there are
very few users who would be affected by this. On the desktop, the evince
profile is affected at all by this change because it explicitly allows
read access to any files with an extension that it has support for.
Firefox's profile is disabled by default.
This is a change requiring the most testing and thought. I maintain it
is an important proactive fix for Lucid. It has been in maverick for
several months with no reported regressions once we decided on the right
approach. Once in -proposed, I plan to run the QRT tests on all AppArmor
confined applications in Lucid to verify no regressions.
--
mysql configuration should be adjusted to help prevent against chained attacks
against LAMP stack
https://bugs.launchpad.net/bugs/578922
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Changed in: apparmor (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu Lucid) Milestone: None => lucid-updates -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Also affects: apparmor (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: mysql-dfsg-5.1 (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: mysql-dfsg-5.1 (Ubuntu Lucid) Status: New => Won't Fix ** Changed in: apparmor (Ubuntu Lucid) Status: New => In Progress ** Changed in: apparmor (Ubuntu Lucid) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
I talked to 2 developers that are on the AppArmor team after my Defcon talk
and they have a fix in the Linux Mainline. Channing the MySQL's temp
directory is probably unnecessary due to AppArmor improvements, although I
haven't gotten around to testing it. I plan on doing an extensive test very
soon. You should expect additions to this security related bug report.
On Mon, Aug 16, 2010 at 5:33 AM, Jamie Strandboge
wrote:
> I talked to our server team about this, and they said that changing the
> temp directory for MySQL is actually bug #375371. I am going to mark the
> MySQL task as "Invalid" here (for lack of a better category) and
> encourage discussion of moving the temporary directory be moved to bug
> #375371. If that bug becomes "Won't Fix" we should reopen the MySQL task
> in this one for setting the MySQL umask.
>
> ** Changed in: mysql-dfsg-5.1 (Ubuntu)
> Status: Triaged => Won't Fix
>
> --
> mysql configuration should be adjusted to help prevent against chained
> attacks against LAMP stack
> https://bugs.launchpad.net/bugs/578922
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: Fix Released
> Status in “mysql-dfsg-5.1” package in Ubuntu: Won't Fix
>
> Bug description:
> Binary package hint: apparmor
>
> I have reported this to the CERT/Bugtraq system so you may have been
> contacted by them. It was a large bug report so something may have fallen
> though the cracks.
>
> The problem is AppArmor rule sets do not adequately protect a LAMP
> environment from attacks. Exploit code has been written which bypasses
> AppAmoror rule sets to obtain remote code execution. The exploit can be
> obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt).
>
> The attack scenario:
> Back before AppArmor it was common to see sql injection attacks against
> PHP/MySQL like this:
> Vulnerable code:
> mysql_query("select name from user where id=".$_GET[id]);
> ?>
> Exploit:
> http://localhost/sql_inj.php?id=0 union select ""
> into outfile "/var/www/backdoor.php"
>
> AppArmor stops this attack, which is impressive. However, there is a
> flaw in this security system. In my exploit i am dropping the file in
> "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to
> execute this php file. The problem is that BOTH MySQL and Apache have
> access to /tmp/. The line "#include " in the
> usr.sbin.mysqld is the source of the vulnerability. The patch is very
> simple, mysql should have its own tmp folder that only the mysqld process
> has access to.
>
> This whole concept of process separation to prevent attacks is completely
> undermined by creating "unions" between processes in the form of these
> header files. In fact every time you see an #include in an app armor rule
> set, its a point of weakness.I hope to give a another killer
> blackhat/defcon talk, this time i am talking about about my exploit and
> these abuses against apparmor.
>
> Thanks,
> Michael Brooks.
>
>
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscribe
>
--
mysql configuration should be adjusted to help prevent against chained attacks
against LAMP stack
https://bugs.launchpad.net/bugs/578922
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
I talked to our server team about this, and they said that changing the temp directory for MySQL is actually bug #375371. I am going to mark the MySQL task as "Invalid" here (for lack of a better category) and encourage discussion of moving the temporary directory be moved to bug #375371. If that bug becomes "Won't Fix" we should reopen the MySQL task in this one for setting the MySQL umask. ** Changed in: mysql-dfsg-5.1 (Ubuntu) Status: Triaged => Won't Fix -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Branch linked: lp:ubuntu/apparmor -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
This bug was fixed in the package apparmor - 2.5.1~pre1393-0ubuntu1 --- apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low * Update to upstream bzr revision 1393 from lp:apparmor/2.5. * add dbus-session abstraction (LP: #566207) * require owner in user-tmp abstraction (LP: #578922) * don't use uninitialized $opt_s (LP: #582075) * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462) * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421) * debian/control: updated branches. * debian/patches/0001-local-includes.patch: backported patch from trunk to allow local administrators to customize their profiles without modifying a shipped profile * debian/rules: - don't pass RELEASE to libapparmor's 'make install' as it breaks the build and isn't used by the Makfile anyway - install apparmor.d/local/README in apparmor, not apparmor-profiles - don't install apparmor.d/local/usr.sbin.ntpd * Drop the following patches already included upstream: - 0001-lp538561.patch - 0002-aalogprof-warnings.patch - 0003-fix-memleaks.patch - 0004-lp549557.patch - 0005-lp538661.patch - 0006-lp611248.patch -- Jamie StrandbogeThu, 05 Aug 2010 16:10:46 -0500 ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
Hey Mr Cook,
I am very interested in how this patch. Before your roll it out i want to
make sure there isn't a trivial bypass. Please keep me informed, I want
Ubuntu be rock solid.
Thanks,
Michael Brooks
On Fri, Jun 4, 2010 at 5:12 PM, Kees Cook wrote:
> ** Changed in: apparmor (Ubuntu)
> Importance: Undecided => Medium
>
> ** Changed in: mysql-dfsg-5.1 (Ubuntu)
> Importance: Undecided => Medium
>
> ** Changed in: apparmor (Ubuntu)
> Assignee: (unassigned) => Jamie Strandboge (jdstrand)
>
> --
> mysql configuration should be adjusted to help prevent against chained
> attacks against LAMP stack
> https://bugs.launchpad.net/bugs/578922
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: Fix Committed
> Status in “mysql-dfsg-5.1” package in Ubuntu: Triaged
>
> Bug description:
> Binary package hint: apparmor
>
> I have reported this to the CERT/Bugtraq system so you may have been
> contacted by them. It was a large bug report so something may have fallen
> though the cracks.
>
> The problem is AppArmor rule sets do not adequately protect a LAMP
> environment from attacks. Exploit code has been written which bypasses
> AppAmoror rule sets to obtain remote code execution. The exploit can be
> obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt).
>
> The attack scenario:
> Back before AppArmor it was common to see sql injection attacks against
> PHP/MySQL like this:
> Vulnerable code:
> mysql_query("select name from user where id=".$_GET[id]);
> ?>
> Exploit:
> http://localhost/sql_inj.php?id=0 union select ""
> into outfile "/var/www/backdoor.php"
>
> AppArmor stops this attack, which is impressive. However, there is a
> flaw in this security system. In my exploit i am dropping the file in
> "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to
> execute this php file. The problem is that BOTH MySQL and Apache have
> access to /tmp/. The line "#include " in the
> usr.sbin.mysqld is the source of the vulnerability. The patch is very
> simple, mysql should have its own tmp folder that only the mysqld process
> has access to.
>
> This whole concept of process separation to prevent attacks is completely
> undermined by creating "unions" between processes in the form of these
> header files. In fact every time you see an #include in an app armor rule
> set, its a point of weakness.I hope to give a another killer
> blackhat/defcon talk, this time i am talking about about my exploit and
> these abuses against apparmor.
>
> Thanks,
> Michael Brooks.
>
>
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscribe
>
--
mysql configuration should be adjusted to help prevent against chained attacks
against LAMP stack
https://bugs.launchpad.net/bugs/578922
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Changed in: apparmor (Ubuntu) Importance: Undecided => Medium ** Changed in: mysql-dfsg-5.1 (Ubuntu) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
Hey Jamie, For the most part I agree with your stance and I am happy to see the summary update. I also totally agree with this statement: "Our stance is that if a security feature[SELinux] breaks default and common configurations, users will turn off the feature." PHP-Nuke will not run on a default Fedora system because of SELinux and I think that the most common response is for people to disable it all together. I agree that a security measure like this should be avoided at all costs in Ubuntu. I think that we can both agree that there is a common ground in terms of security and usability. I will keep an eye on this problem and see that it matures properly. You are correct AppArmor doesn't have a feature to protect the context in which data is accessed like SELinux, and it would be nice if it did. My argument is that AppArmor with its current feature set can be configured to break my exploit, but other proven security measures can also be used to address this issue. I would like to be involved with Hardened Ubuntu to help find a good solution to these problems. Thanks Again, Michael -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
** Summary changed: - mysql configuration does not prevent against combined attacks against LAMP stack + mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
