[Bug 578922] Re: mysql configuration does not prevent against combined attacks against LAMP stack

Jamie Strandboge jamie at ubuntu.com
Wed May 12 10:32:02 BST 2010 

** Changed in: apparmor (Ubuntu)
       Status: Triaged => Fix Committed

** Description changed:

  Binary package hint: apparmor
  
  I have reported this to the CERT/Bugtraq system so you may have been
  contacted by them.  It was a large bug report so something may have
  fallen though the cracks.
  
- The problem is AppArmor rule sets do not antiquity protect a LAMP
+ The problem is AppArmor rule sets do not adequately protect a LAMP
  environment  from attacks.  Exploit code has been written which bypasses
  AppAmoror rule sets to obtain remote code execution.   The exploit can
  be obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt).
  
  The attack scenario:
  Back before AppArmor it was common to see sql injection attacks against PHP/MySQL like this:
  Vulnerable code:
  <?php
  mysql_query("select name from user where id=".$_GET[id]);
  ?>
  Exploit:
  http://localhost/sql_inj.php?id=0 union select "<?php eval($_GET[e]);?>" into outfile "/var/www/backdoor.php"
  
  AppArmor stops this attack,  which is impressive.  However,  there is a
  flaw in this security system.  In my exploit i am dropping the file in
  "/tmp/theme.php"  then i use a Local File Include vulnerability (LFI) to
  execute this php file.   The problem is that BOTH MySQL and Apache have
  access to /tmp/.  The line "#include <abstractions/user-tmp>" in the
  usr.sbin.mysqld  is the source of the vulnerability.  The patch is very
  simple,  mysql should have its own tmp folder that only the mysqld
  process has access to.
  
  This whole concept of process separation to prevent attacks is
  completely undermined by creating "unions"  between processes in the
  form of these header files. In fact every time you see an #include in an
  app armor rule set,  its a point of weakness.    I hope to give a
  another killer blackhat/defcon talk,  this time i am talking about about
  my exploit and these abuses against apparmor.
  
  Thanks,
  Michael Brooks.

-- 
mysql configuration does not prevent against combined attacks against LAMP stack
https://bugs.launchpad.net/bugs/578922
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.

More information about the Ubuntu-server-bugs mailing list