oss-sec mailing list archives

Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE?

From: Stefan Fritsch <sf () sfritsch de>
Date: Sat, 16 Jul 2011 21:35:20 +0200

On Saturday 16 July 2011, halfdog wrote:

Understood. I've looked at the issue more closely and found a
similar DOS-exploitable timerace and a buffer overwrite unrelated
to this. Just for study, I'm currently trying to combine 3
timeraces + buffer overwrite + ROP to get code execution. Since
apache will quite likely fix the other two issues, they have to
touch the code anyway, so the symlink issue might be historic soon
also.


I don't think the race conditions can be fixed without openat, which 
is available in Linux since 2.6.16 and is not available in many other 
flavours of UNIX. Currently, it is clear that your issue only concerns 
an un-supported use case of Apache httpd. IMHO it would not be wise to 
change httpd to support this use case on recent Linux but not on other 
UNIXs.

And if you have a setup where the races are a problem, you can fix it 
outside of httpd. E.g. configure your FTP-server to deny creating of 
symlinks or configure SELinux/Apparmor/... accordingly.

Current thread:

Apache symlink issue: can documented behavior be a security problem and hence get a CVE? halfdog (Jul 12)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Mike O'Connor (Jul 12)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Josh Bressers (Jul 12)
  - Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Steven M. Christey (Jul 13)
    - Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? halfdog (Jul 16)
    - Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Stefan Fritsch (Jul 16)