[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: [Fwd: iDefense Final Notice [IDEF1445]]
From: "William A. Rowe, Jr." <wrowe () rowe-clan ! net>
Date: 2007-03-28 21:02:24
Message-ID: 460AD7E0.7010702 () rowe-clan ! net
[Download RAW message or body]
Not acked.
["iDefense Final Notice [IDEF1445]" (message/rfc822)]
To whom it may concern,
The attached advisory and email was originally submitted on Feb 08, 2006, but a \
response has not yet been received. In accordance with our vendor disclosure policy \
(http://labs.idefense.com/legal.php#disclosure) we will proceed with public \
disclosure of this issue if acknowledgment of receipt is not received within five \
business days.
Regards,
Joshua J. Drake
iDefense Labs
["pub_Apache httpd suexec Multiple Vulnerabilities.txt" (application/octet-stream)]
Apache httpd suexec Multiple Vulnerabilities
iDefense Security Advisory XX.XX.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
MMM DD, 2005
I. BACKGROUND
The suexec binary is a helper application which is part of the Apache
HTTP server package, and is designed to allow a script to run with the
privileges of the owner of the script, instead of with the privileges of
the server. More information about the suexec utility can be found at
the following link:
http://httpd.apache.org/docs/2.0/suexec.html
II. DESCRIPTION
Scripts run by an HTTP server generally run with the same permissions as
the server. Exploitation of one virtual host on a server may lead to all
the hosts being compromised. In order to reduce the likelihood that a
bug or malicious code in one virtual host will be able to affect other
virtual hosts, the suexec utility allows scripts to run as the owner of
the script instead. The suexec binary is only able to be executed by the
same user as the httpd, typically user 'httpd', 'apache' or 'nobody'.
This means that exploitation of the vulnerability has a prerequisite of
obtaining access to the affected system as this user. The binary also
limits the users it will execute code as to those which have user and
group IDs greater than or equal to AP_UID_MIN and AP_GID_MIN values
respectively. These values are compiled into the executable.
Multiple vulnerabilities exist in this application which, when combined,
can allow execution of code as an almost arbitrary user and group.
1) Path Checking Race Condition Vulnerability
Local exploitation of a race condition in path validation of in multiple
versions of The Apache Foundation's suexec utility could allow an
attacker to execute arbitrary code as another user.
Race conditions occur between the getcwd(cwd) at line #477 and
chdir(cwd) (at lines #485 and #494) and between a chdir(cwd) at lines
#486 and #494 and a lstat(cwd) at line #508. The directory structure may
change between each of these operations, which can lead to the lstat()
being performed on an arbitrary directory chosen by an attacker. These
may be exploited with by renaming a parent directory, or by using
symlinks.
A third race condition occurs between the lstat(cmd) at line #524 and
execv() at line #606. The directory structure may change between these
calls, rendering ineffectrive the lstat().
2) Path Checking Design Error Vulnerability
At line #500 of the suexec utility, a strncmp() is used to check whether
the current directory is a subdirectory of the document root directory.
This check will succeed in situations where there exists a directory
which begins with the same sequence, but contains extra content. For
example, if the document root is "/var/www/html", the test will also
succeed for "/var/www/html_backup" and "/var/www/htmleditor". A correct
test would also perform a check that the next character is a trailing
null-terminator or directory separator.
The check performed at line #524 does not verify whether a path to the
CGI script (cmd) is a regular file or not. If the path is pointing at a
subdirectory owned by the appropriate user and group of a directory
owned by the appropriate user and group, it will be accepted as a valid
path to be executed (provided all other checks succeed).
3) Arbitrary GID Input Validation Vulnerability
Due to a design error, the suexec binary permits any combination of
user/group values taken from command line parameters even if the user is
not a member of the specified group. This may be exploited in
combination with other vulnerabilities if the /proc filesystem is
mounted. Each time suexec drops its privileges and changes its UID and
GID, all files and directories under /proc/{PID} change their owner to
the corresponding values. As the suexec process changes its UID and GID
unconditionally, creating arbitrary UID and GID owned files is trivial
(the only limitation is that these values must be greater or equal to
AP_UID_MIN and AP_GID_MIN).
III. ANALYSIS
Successful exploitations of these vulnerabilities would allow a local
attacker to execute arbitrary code from an another user. In order to
exploit this vulnerability, the user must already have access to the
suexec binary, which is restricted to the user the httpd runs as, in
order to execute code. It may be possible to gain access to this user by
exploiting a CGI program, PHP script or other program on the server.
These factors, in combination with the restricted range of UID and GIDs
that can be requested, mitigates to some degree the seventy of the
vulnerability.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in the suexec
binary distributed with the version 2.0.54 of the Apache httpd in Red
Hat Inc.'s Fedora Core 4. This distribution is not vulnerable in the
default configuration, as exploitation requires additional, but common,
configuration changes to be made to the system.
It is suspected that all previous versions of suexec are vulnerable,
including the 1.3.x versions.
V. WORKAROUND
If the suexec binary is not required for normal operation, remove the
setuid bit from the file.
Execute the following command as root:
#chmod -s /path/to/suexec
Replacing '/path/to/suexec' with the actual path to the suexec binary.
VI. VENDOR RESPONSE
[Quoted vendor response if available. Otherwise include vendor fix
details.]
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-XXXX to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
[OR]
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
XX/XX/2006 Initial vendor notification
XX/XX/2006 Initial vendor response
XX/XX/2006 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright © 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
---------------------------------------------------------------------
To unsubscribe, e-mail: security-unsubscribe@apache.org
For additional commands, e-mail: security-help@apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic