The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache Local User to Root Escalation
------------------------------------------------------------------------
SUMMARY
A vulnerability in way debian's version of Apache handles cttys allows
local users to gain elevated privileges if the root has manually restarted
the Apache service.
DETAILS
Vulnerable Systems:
* Apache version 1.3.34-4 (Debian only)
Unlike every other daemon, apache does not abdicate its controlling tty on
startup, and allows it to be inherited by a cgi script (for example, a
local user's CGI executed using suexec). When apache is manually
restarted, the inherited ctty is the stdin of the (presumably root) shell
that invoked the new instance of apache. Any process is permitted to
invoke the TIOCSTI ioctl on the fd corresponding to its ctty, which allows
it to inject characters that appear to come from the terminal master.
Thus, a user created CGI script can inject and have executed any input
into the shell that spawned apache.
ADDITIONAL INFORMATION
The information has been provided by <mailto:ret28@cam.ac.uk> Richard
Thrippleton.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
