Re: Apache ap_getpass vulnerability

["Bluefish (P.Magnusson)" <11a () GMX NET>]

$ kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL
 5) SIGTRAP      6) SIGIOT       7) SIGBUS       8) SIGFPE
 9) SIGKILL     10) SIGUSR1     11) SIGSEGV     12) SIGUSR2
13) SIGPIPE     14) SIGALRM     15) SIGTERM     17) SIGCHLD
18) SIGCONT     19) SIGSTOP     20) SIGTSTP     21) SIGTTIN
22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO
30) SIGPWR

Wouldn't attacker simply be able to kill -s SIGSEGV <pid> ?
After all, all apache childs run with the same uid. Many different cgi
exploits could be modified to do kill the prefered http process.

> Unless this is done somebody who gets access to the webserver machine,
> and therefore can
> read the private-key file, can also crash the Apache in such a way that
> he can read the
> password from memory. All he has to know is where the static char*
> inside getpass is in
> memory.

| strings | less

Now, this is also a question of the importance of http passwords. Many
administrators don't consider them secure to begin with (40bit DES hash,
and usually no encryption what so ever). But yes, SSL has been mentioned.
With SSL encryption, perhaps administrators put more faith in these
passwords.

getpass is yet another stupidly hard to use function. It is impressive how
bad interfaces people put up with. getpass designers clearly have
forgotten the first law of security-programming: assume all functions to
be used by 'stupid' programmers. ('stupid' as in human, not flawless).

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe