|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511
|
| |
Vulnerable Systems:
* Apache httpd version 2.2.3 of the in Red Hat Inc.'s Fedora Core 4.
* (This distribution is not vulnerable in the default configuration, as exploitation requires additional, but common, configuration changes to be made to the system.)
* It is suspected that all previous versions of suexec are vulnerable, including the 1.3.x versions.
1) Path Checking Race Condition Vulnerabilities
One race condition occurs between the obtaining the current directory and changing to that directory. Another race condition occurs between changing to a directory and checking that the directory is not a link. The directory structure may change between each of these operations, which can lead to the lstat() being performed on an arbitrary directory chosen by an attacker. These may be exploited with by renaming a parent directory, or by using symbolic links.
A third race condition occurs between the final symbolic link check and executing the target binary. The directory structure may change between these calls, rendering the symbolic link check ineffective.
2) Path Checking Design Error Vulnerabilities
The suexec utility uses a strncmp() to check whether the current directory is a sub-directory of the document root directory. This check will succeed in situations where there exists a directory which begins with the same sequence, but contains extra content. For example, if the document root is "/var/www/html", the test will also succeed for "/var/www/html_backup" and "/var/www/htmleditor". A correct test would also perform a check that the next character is a trailing null-terminator or directory separator.
A check performed does not verify whether a path to the CGI script (cmd) is a regular file or not. If the path is pointing at a sub-directory owned by the appropriate user and group, and the parent directory is owned by the appropriate user and group, it will be accepted.
3) Arbitrary Group Id Input Validation Vulnerability
Due to a design error, the suexec binary permits any combination of user/group values taken from command line parameters even if the user is not a member of the specified group. This may be exploited in combination with other vulnerabilities if the /proc file system is mounted. Each time suexec drops its privileges and changes its UID and GID, all files and directories under /proc/{PID} change their owner to the corresponding values. As the suexec process changes its UID and GID unconditionally, creating arbitrary UID and GID owned files is trivial.
Exploitation of these vulnerabilities would allow a local attacker to execute arbitrary code with the privileges of another user.
In order to exploit this vulnerability, the user must already have access to execute the suexec binary. The suexec binary is only able to be executed by the same user as the web server, typically user 'httpd', 'apache' or 'nobody'. It may be possible to gain access to this user by exploiting a CGI program, PHP script or other program on the server.
The binary also limits the users it will execute code as to those which have user and group IDs greater than or equal to AP_UID_MIN and AP_GID_MIN values respectively. These values are compiled into the executable.
These factors somewhat mitigate the severity of the problem.
Workaround:
If the suexec binary is not required for normal operation, remove the set-uid bit from the file as shown below.
# chmod -s /path/to/suexec
Vendor Status:
The Apache Software Foundation HTTPD team declined to address the vulnerabilities and instead provided the following vendor statement.
"The attacks described rely on an insecure server configuration - that the unprivileged user the server runs as has write access to the document root. The suexec tool cannot detect all possible insecure configurations, nor can it protect against privilege "escalation" in all such cases.
It is important to note that to be able to invoke suexec, the attacker must also first gain the ability to execute arbitrary code as the unprivileged server user."
CVE Information:
CVE-2007-1741
Disclosure Timeline:
* 02/08/2006 - Initial vendor notification
* 10/06/2006 - Second vendor notification
* 03/28/2007 - Third vendor notification
* 03/28/2007 - Initial vendor response
* 04/11/2007 - Public disclosure
|
|
|
|
|
