I talked to 2 developers that are on the AppArmor team after my Defcon talk and they have a fix in the Linux Mainline. Channing the MySQL's temp directory is probably unnecessary due to AppArmor improvements, although I haven't gotten around to testing it. I plan on doing an extensive test very soon. You should expect additions to this security related bug report.
On Mon, Aug 16, 2010 at 5:33 AM, Jamie Strandboge <ja...@ubuntu.com> wrote: > I talked to our server team about this, and they said that changing the > temp directory for MySQL is actually bug #375371. I am going to mark the > MySQL task as "Invalid" here (for lack of a better category) and > encourage discussion of moving the temporary directory be moved to bug > #375371. If that bug becomes "Won't Fix" we should reopen the MySQL task > in this one for setting the MySQL umask. > > ** Changed in: mysql-dfsg-5.1 (Ubuntu) > Status: Triaged => Won't Fix > > -- > mysql configuration should be adjusted to help prevent against chained > attacks against LAMP stack > https://bugs.launchpad.net/bugs/578922 > You received this bug notification because you are a direct subscriber > of the bug. > > Status in “apparmor” package in Ubuntu: Fix Released > Status in “mysql-dfsg-5.1” package in Ubuntu: Won't Fix > > Bug description: > Binary package hint: apparmor > > I have reported this to the CERT/Bugtraq system so you may have been > contacted by them. It was a large bug report so something may have fallen > though the cracks. > > The problem is AppArmor rule sets do not adequately protect a LAMP > environment from attacks. Exploit code has been written which bypasses > AppAmoror rule sets to obtain remote code execution. The exploit can be > obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt). > > The attack scenario: > Back before AppArmor it was common to see sql injection attacks against > PHP/MySQL like this: > Vulnerable code: > <?php > mysql_query("select name from user where id=".$_GET[id]); > ?> > Exploit: > http://localhost/sql_inj.php?id=0 union select "<?php eval($_GET[e]);?>" > into outfile "/var/www/backdoor.php" > > AppArmor stops this attack, which is impressive. However, there is a > flaw in this security system. In my exploit i am dropping the file in > "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to > execute this php file. The problem is that BOTH MySQL and Apache have > access to /tmp/. The line "#include <abstractions/user-tmp>" in the > usr.sbin.mysqld is the source of the vulnerability. The patch is very > simple, mysql should have its own tmp folder that only the mysqld process > has access to. > > This whole concept of process separation to prevent attacks is completely > undermined by creating "unions" between processes in the form of these > header files. In fact every time you see an #include in an app armor rule > set, its a point of weakness. I hope to give a another killer > blackhat/defcon talk, this time i am talking about about my exploit and > these abuses against apparmor. > > Thanks, > Michael Brooks. > > > > To unsubscribe from this bug, go to: > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscribe > -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
