Mod_dosevasive symlink and race vulnerability

[LSS Security <exposed () lss hr>]

                          LSS Security Advisory #LSS-2005-01-01

                               http://security.lss.hr


---

Title               : Mod_dosevasive symlink and race vulnerability
Advisory ID         : LSS-2005-01-4
Date                : January 1th, 2005
Advisory URL:       : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01
Impact              : Arbitrary file creation
Risk level          : Low
Vulnerability type  : Local
Vendors contacted   : December 16th, 2004.

---



==[ Overview

> From mod_dosevasive's web site (http://www.nuclearelephant.com/projects/dosevasive/):

Mod_dosevasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack. 
It is also designed to be a detection and network management tool, and can
be easily configured to talk to ipchains, firewalls, routers etc.
Mod_dosevasive presently reports abuses via email and syslog facilities.



==[ Vulnerability

When a denial of service attack is detected, mod_dosevasive will, among 
other things, create a temporary file which it will use to trace actions
from the offensive IP address. This file is insecurely created in /tmp and
it's name is easily predictable.

The attacker knows exactly which name the file will have:

...
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
...

So, if the attack is coming from 127.0.0.1, mod_dosevasive will create
/tmp/dos-127.0.0.1 file.

1) Symlink attack

It is then easy for an attacker to create arbitrary files in any directory
that the user under which apache runs has privileges to write.
For example:

[bojanz@test bojanz]$ ls -ld /var/www
drwxr-xr-x    6 root     root         4096 Nov  6 04:59 /var/www
[bojanz@good bojanz]$ cd /tmp
[bojanz@good tmp]$ ln -s /var/www/html/poc_file dos-127.0.0.1 
[bojanz@good tmp]$ ls -l /var/www/html/poc_file
ls: /var/www/html/poc_file: No such file or directory
[bojanz@good tmp]$ perl ./dos.pl        # this script performs a simple DoS attack
[bojanz@good tmp]$ ls -l /var/www/html/poc_file
-rw-r--r--    1 apache   apache          6 Dec 14 11:53 /var/www/html/poc_file

Mod_dosevasive will check if the target file exists and will not overwrite it,
so the vulnerability #1 just allows creation of arbitrary files in directories
that the user under which apache runs has privileges to write.
Files contain PID of the child process and the attacker can't modify them.

2) Race attack

However, once the target file is opened, there is a race attack (although
difficult to exploit) which can lead to mod_dosevasive overwriting any 
file that the user under which apache runs has privileges to write.

> From the source:

...
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
/* Race vulnerability */
if (stat(filename, &s)) {
 file = fopen(filename, "w");
...



===[ Affected versions

All available versions of mod_security are affected, including the latest
CVS version (1.9).



===[ Fix

Real fix would be to rewrite the code which opens the file, however, in 
absence of that, easy and quick fix is to create a directory that only the
user under which apache runs has privileges to write and to use that 
directory to create mod_dosevasive temporary files in.
In order to use a different directory, only one line in the source code has
to be changed:

snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
                                      ^^^^^


===[ PoC Exploit

No PoC required.



===[ Credits

This vulnerability was found by LSS Security Team.



===[ LSS Security Contact

 LSS Security Team, <eXposed by LSS>

 WWW    : http://security.lss.hr
 E-mail : security () LSS hr
 Tel    : +385 1 6129 775