I talked to 2 developers that are on the AppArmor team after my Defcon talk
and they have a fix in the Linux Mainline.  Channing the MySQL's temp
directory is probably unnecessary due to AppArmor improvements, although   I
haven't gotten around to testing it. I plan on doing an extensive test very
soon.   You should expect additions to this security related bug report.

On Mon, Aug 16, 2010 at 5:33 AM, Jamie Strandboge <email address hidden> wrote:

> I talked to our server team about this, and they said that changing the
> temp directory for MySQL is actually bug #375371. I am going to mark the
> MySQL task as "Invalid" here (for lack of a better category) and
> encourage discussion of moving the temporary directory be moved to bug
> #375371. If that bug becomes "Won't Fix" we should reopen the MySQL task
> in this one for setting the MySQL umask.
>
> ** Changed in: mysql-dfsg-5.1 (Ubuntu)
>       Status: Triaged => Won't Fix
>
> --
> mysql configuration should be adjusted to help prevent against chained
> attacks against LAMP stack
> https://bugs.launchpad.net/bugs/578922
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: Fix Released
> Status in “mysql-dfsg-5.1” package in Ubuntu: Won't Fix
>
> Bug description:
> Binary package hint: apparmor
>
> I have reported this to the CERT/Bugtraq system so you may have been
> contacted by them.  It was a large bug report so something may have fallen
> though the cracks.
>
> The problem is AppArmor rule sets do not adequately protect a LAMP
> environment  from attacks.  Exploit code has been written which bypasses
> AppAmoror rule sets to obtain remote code execution.   The exploit can be
> obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt).
>
> The attack scenario:
> Back before AppArmor it was common to see sql injection attacks against
> PHP/MySQL like this:
> Vulnerable code:
> <?php
> mysql_query("select name from user where id=".$_GET[id]);
> ?>
> Exploit:
> http://localhost/sql_inj.php?id=0 union select "<?php eval($_GET[e]);?>"
> into outfile "/var/www/backdoor.php"
>
> AppArmor stops this attack,  which is impressive.  However,  there is a
> flaw in this security system.  In my exploit i am dropping the file in
> "/tmp/theme.php"  then i use a Local File Include vulnerability (LFI) to
> execute this php file.   The problem is that BOTH MySQL and Apache have
> access to /tmp/.  The line "#include <abstractions/user-tmp>" in the
> usr.sbin.mysqld  is the source of the vulnerability.  The patch is very
> simple,  mysql should have its own tmp folder that only the mysqld process
> has access to.
>
> This whole concept of process separation to prevent attacks is completely
> undermined by creating "unions"  between processes in the form of these
> header files. In fact every time you see an #include in an app armor rule
> set,  its a point of weakness.    I hope to give a another killer
> blackhat/defcon talk,  this time i am talking about about my exploit and
> these abuses against apparmor.
>
> Thanks,
> Michael Brooks.
>
>
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscribe
>