Comment 8 for bug 578922
Revision history for this message
| Todd Smith (td-smith) wrote Re: [Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack | #8 |
I talked to 2 developers that are on the AppArmor team after my Defcon talk
and they have a fix in the Linux Mainline. Channing the MySQL's temp
directory is probably unnecessary due to AppArmor improvements, although I
haven't gotten around to testing it. I plan on doing an extensive test very
soon. You should expect additions to this security related bug report.
On Mon, Aug 16, 2010 at 5:33 AM, Jamie Strandboge <email address hidden> wrote:
> I talked to our server team about this, and they said that changing the
> temp directory for MySQL is actually bug #375371. I am going to mark the
> MySQL task as "Invalid" here (for lack of a better category) and
> encourage discussion of moving the temporary directory be moved to bug
> #375371. If that bug becomes "Won't Fix" we should reopen the MySQL task
> in this one for setting the MySQL umask.
>
> ** Changed in: mysql-dfsg-5.1 (Ubuntu)
> Status: Triaged => Won't Fix
>
> --
> mysql configuration should be adjusted to help prevent against chained
> attacks against LAMP stack
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: Fix Released
> Status in “mysql-dfsg-5.1” package in Ubuntu: Won't Fix
>
> Bug description:
> Binary package hint: apparmor
>
> I have reported this to the CERT/Bugtraq system so you may have been
> contacted by them. It was a large bug report so something may have fallen
> though the cracks.
>
> The problem is AppArmor rule sets do not adequately protect a LAMP
> environment from attacks. Exploit code has been written which bypasses
> AppAmoror rule sets to obtain remote code execution. The exploit can be
> obtained here (https:/
>
> The attack scenario:
> Back before AppArmor it was common to see sql injection attacks against
> PHP/MySQL like this:
> Vulnerable code:
> <?php
> mysql_query("select name from user where id=".$_GET[id]);
> ?>
> Exploit:
> http://
> into outfile "/var/www/
>
> AppArmor stops this attack, which is impressive. However, there is a
> flaw in this security system. In my exploit i am dropping the file in
> "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to
> execute this php file. The problem is that BOTH MySQL and Apache have
> access to /tmp/. The line "#include <abstractions/
> usr.sbin.mysqld is the source of the vulnerability. The patch is very
> simple, mysql should have its own tmp folder that only the mysqld process
> has access to.
>
> This whole concept of process separation to prevent attacks is completely
> undermined by creating "unions" between processes in the form of these
> header files. In fact every time you see an #include in an app armor rule
> set, its a point of weakness. I hope to give a another killer
> blackhat/defcon talk, this time i am talking about about my exploit and
> these abuses against apparmor.
>
> Thanks,
> Michael Brooks.
>
>
>
> To unsubscribe from this bug, go to:
> https:/
>