I am very interested in how this patch. Before your roll it out i want to
make sure there isn't a trivial bypass. Please keep me informed, I want
Ubuntu be rock solid.
Thanks,
Michael Brooks
On Fri, Jun 4, 2010 at 5:12 PM, Kees Cook <email address hidden> wrote:
> ** Changed in: apparmor (Ubuntu)
> Importance: Undecided => Medium
>
> ** Changed in: mysql-dfsg-5.1 (Ubuntu)
> Importance: Undecided => Medium
>
> ** Changed in: apparmor (Ubuntu)
> Assignee: (unassigned) => Jamie Strandboge (jdstrand)
>
> --
> mysql configuration should be adjusted to help prevent against chained
> attacks against LAMP stack
> https://bugs.launchpad.net/bugs/578922
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: Fix Committed
> Status in “mysql-dfsg-5.1” package in Ubuntu: Triaged
>
> Bug description:
> Binary package hint: apparmor
>
> I have reported this to the CERT/Bugtraq system so you may have been
> contacted by them. It was a large bug report so something may have fallen
> though the cracks.
>
> The problem is AppArmor rule sets do not adequately protect a LAMP
> environment from attacks. Exploit code has been written which bypasses
> AppAmoror rule sets to obtain remote code execution. The exploit can be
> obtained here (https://sitewat.ch/Exploits/nuke_exploit.txt).
>
> The attack scenario:
> Back before AppArmor it was common to see sql injection attacks against
> PHP/MySQL like this:
> Vulnerable code:
> <?php
> mysql_query("select name from user where id=".$_GET[id]);
> ?>
> Exploit:
> http://localhost/sql_inj.php?id=0 union select "<?php eval($_GET[e]);?>"
> into outfile "/var/www/backdoor.php"
>
> AppArmor stops this attack, which is impressive. However, there is a
> flaw in this security system. In my exploit i am dropping the file in
> "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to
> execute this php file. The problem is that BOTH MySQL and Apache have
> access to /tmp/. The line "#include <abstractions/user-tmp>" in the
> usr.sbin.mysqld is the source of the vulnerability. The patch is very
> simple, mysql should have its own tmp folder that only the mysqld process
> has access to.
>
> This whole concept of process separation to prevent attacks is completely
> undermined by creating "unions" between processes in the form of these
> header files. In fact every time you see an #include in an app armor rule
> set, its a point of weakness. I hope to give a another killer
> blackhat/defcon talk, this time i am talking about about my exploit and
> these abuses against apparmor.
>
> Thanks,
> Michael Brooks.
>
>
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/578922/+subscribe
>
Hey Mr Cook,
I am very interested in how this patch. Before your roll it out i want to
make sure there isn't a trivial bypass. Please keep me informed, I want
Ubuntu be rock solid.
Thanks,
Michael Brooks
On Fri, Jun 4, 2010 at 5:12 PM, Kees Cook <email address hidden> wrote:
> ** Changed in: apparmor (Ubuntu) /bugs.launchpad .net/bugs/ 578922 /sitewat. ch/Exploits/ nuke_exploit. txt). localhost/ sql_inj. php?id= 0 union select "<?php eval($_GET[e]);?>" backdoor. php" user-tmp> " in the /bugs.launchpad .net/ubuntu/ +source/ apparmor/ +bug/578922/ +subscribe
> Importance: Undecided => Medium
>
> ** Changed in: mysql-dfsg-5.1 (Ubuntu)
> Importance: Undecided => Medium
>
> ** Changed in: apparmor (Ubuntu)
> Assignee: (unassigned) => Jamie Strandboge (jdstrand)
>
> --
> mysql configuration should be adjusted to help prevent against chained
> attacks against LAMP stack
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: Fix Committed
> Status in “mysql-dfsg-5.1” package in Ubuntu: Triaged
>
> Bug description:
> Binary package hint: apparmor
>
> I have reported this to the CERT/Bugtraq system so you may have been
> contacted by them. It was a large bug report so something may have fallen
> though the cracks.
>
> The problem is AppArmor rule sets do not adequately protect a LAMP
> environment from attacks. Exploit code has been written which bypasses
> AppAmoror rule sets to obtain remote code execution. The exploit can be
> obtained here (https:/
>
> The attack scenario:
> Back before AppArmor it was common to see sql injection attacks against
> PHP/MySQL like this:
> Vulnerable code:
> <?php
> mysql_query("select name from user where id=".$_GET[id]);
> ?>
> Exploit:
> http://
> into outfile "/var/www/
>
> AppArmor stops this attack, which is impressive. However, there is a
> flaw in this security system. In my exploit i am dropping the file in
> "/tmp/theme.php" then i use a Local File Include vulnerability (LFI) to
> execute this php file. The problem is that BOTH MySQL and Apache have
> access to /tmp/. The line "#include <abstractions/
> usr.sbin.mysqld is the source of the vulnerability. The patch is very
> simple, mysql should have its own tmp folder that only the mysqld process
> has access to.
>
> This whole concept of process separation to prevent attacks is completely
> undermined by creating "unions" between processes in the form of these
> header files. In fact every time you see an #include in an app armor rule
> set, its a point of weakness. I hope to give a another killer
> blackhat/defcon talk, this time i am talking about about my exploit and
> these abuses against apparmor.
>
> Thanks,
> Michael Brooks.
>
>
>
> To unsubscribe from this bug, go to:
> https:/
>