Hey Mr Cook, I am very interested in how this patch. Before your roll it out i want to make sure there isn't a trivial bypass. Please keep me informed, I want Ubuntu be rock solid.
Thanks, Michael Brooks On Fri, Jun 4, 2010 at 5:12 PM, Kees Cook <k...@ubuntu.com> wrote: > ** Changed in: apparmor (Ubuntu) > Importance: Undecided => Medium > > ** Changed in: mysql-dfsg-5.1 (Ubuntu) > Importance: Undecided => Medium > > ** Changed in: apparmor (Ubuntu) > Assignee: (unassigned) => Jamie Strandboge (jdstrand) > > -- > mysql configuration should be adjusted to help prevent against chained > attacks against LAMP stack > https://bugs.launchpad.net/bugs/578922 > You received this bug notification because you are a direct subscriber > of the bug. > > Status in “apparmor” package in Ubuntu: Fix Committed > Status in “mysql-dfsg-5.1” package in Ubuntu: Triaged > > Bug description: > Binary package hint: apparmor > > I have reported this to the CERT/Bugtraq system so you may have been > contacted by them. It was a large bug report so something may have fallen > though the cracks. > > The problem is AppArmor rule sets do not adequately protect a LAMP > environment from attacks. Exploit code has been written which bypasses > AppAmoror rule sets to obtain remote code execution. The exploit can be > obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt). > > The attack scenario: > Back before AppArmor it was common to see sql injection attacks against > PHP/MySQL like this: > Vulnerable code: > <?php > mysql_query("select name from user where id=".$_GET[id]); > ?> > Exploit: > http://localhost/sql_inj.php?id=0 union select "<?php eval($_GET[e]);?>" > into outfile "/var/www/backdoor.php" > > AppArmor stops this attack, which is impressive. However, there is a > flaw in this security system. In my exploit i am dropping the file in > "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to > execute this php file. The problem is that BOTH MySQL and Apache have > access to /tmp/. The line "#include <abstractions/user-tmp>" in the > usr.sbin.mysqld is the source of the vulnerability. The patch is very > simple, mysql should have its own tmp folder that only the mysqld process > has access to. > > This whole concept of process separation to prevent attacks is completely > undermined by creating "unions" between processes in the form of these > header files. In fact every time you see an #include in an app armor rule > set, its a point of weakness. I hope to give a another killer > blackhat/defcon talk, this time i am talking about about my exploit and > these abuses against apparmor. > > Thanks, > Michael Brooks. > > > > To unsubscribe from this bug, go to: > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscribe > -- mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack https://bugs.launchpad.net/bugs/578922 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
