Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Apache HTTPD suEXEC Multiple Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Apache HTTPD suEXEC Multiple Vulnerabilities
Date: 17 Apr 2007 19:21:25 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Apache HTTPD suEXEC Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

The  <http://httpd.apache.org/docs/2.0/suexec.html > suexec binary is a 
helper application which is part of the Apache HTTP server package. It is 
designed to allow a script to run with the privileges of the owner of the 
script instead the privileges of the server.

Local exploitation of multiple vulnerabilities within Apache Software 
Foundation's suexec utility could allow an attacker to execute arbitrary 
code as another user.

DETAILS

Vulnerable Systems:
 * Apache httpd version 2.2.3 of the in Red Hat Inc.'s Fedora Core 4.
   * (This distribution is not vulnerable in the default configuration, as 
exploitation requires additional, but common, configuration changes to be 
made to the system.)
 * It is suspected that all previous versions of suexec are vulnerable, 
including the 1.3.x versions.

1) Path Checking Race Condition Vulnerabilities

One race condition occurs between the obtaining the current directory and 
changing to that directory. Another race condition occurs between changing 
to a directory and checking that the directory is not a link. The 
directory structure may change between each of these operations, which can 
lead to the lstat() being performed on an arbitrary directory chosen by an 
attacker. These may be exploited with by renaming a parent directory, or 
by using symbolic links.

A third race condition occurs between the final symbolic link check and 
executing the target binary. The directory structure may change between 
these calls, rendering the symbolic link check ineffective.

2) Path Checking Design Error Vulnerabilities

The suexec utility uses a strncmp() to check whether the current directory 
is a sub-directory of the document root directory. This check will succeed 
in situations where there exists a directory which begins with the same 
sequence, but contains extra content. For example, if the document root is 
"/var/www/html", the test will also succeed for "/var/www/html_backup" and 
"/var/www/htmleditor". A correct test would also perform a check that the 
next character is a trailing null-terminator or directory separator.

A check performed does not verify whether a path to the CGI script (cmd) 
is a regular file or not. If the path is pointing at a sub-directory owned 
by the appropriate user and group, and the parent directory is owned by 
the appropriate user and group, it will be accepted.

3) Arbitrary Group Id Input Validation Vulnerability

Due to a design error, the suexec binary permits any combination of 
user/group values taken from command line parameters even if the user is 
not a member of the specified group. This may be exploited in combination 
with other vulnerabilities if the /proc file system is mounted. Each time 
suexec drops its privileges and changes its UID and GID, all files and 
directories under /proc/{PID} change their owner to the corresponding 
values. As the suexec process changes its UID and GID unconditionally, 
creating arbitrary UID and GID owned files is trivial.

Exploitation of these vulnerabilities would allow a local attacker to 
execute arbitrary code with the privileges of another user.

In order to exploit this vulnerability, the user must already have access 
to execute the suexec binary. The suexec binary is only able to be 
executed by the same user as the web server, typically user 'httpd', 
'apache' or 'nobody'. It may be possible to gain access to this user by 
exploiting a CGI program, PHP script or other program on the server.

The binary also limits the users it will execute code as to those which 
have user and group IDs greater than or equal to AP_UID_MIN and AP_GID_MIN 
values respectively. These values are compiled into the executable.

These factors somewhat mitigate the severity of the problem.

Workaround:
If the suexec binary is not required for normal operation, remove the 
set-uid bit from the file as shown below.
  # chmod -s /path/to/suexec

Vendor Status:
The Apache Software Foundation HTTPD team declined to address the 
vulnerabilities and instead provided the following vendor statement.

"The attacks described rely on an insecure server configuration - that the 
unprivileged user the server runs as has write access to the document 
root. The suexec tool cannot detect all possible insecure configurations, 
nor can it protect against privilege "escalation" in all such cases.

It is important to note that to be able to invoke suexec, the attacker 
must also first gain the ability to execute arbitrary code as the 
unprivileged server user."

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1741> 
CVE-2007-1741

Disclosure Timeline:
 * 02/08/2006 - Initial vendor notification
 * 10/06/2006 - Second vendor notification
 * 03/28/2007 - Third vendor notification
 * 03/28/2007 - Initial vendor response
 * 04/11/2007 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Apache HTTPD suEXEC Multiple Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] CSRSS Remote Code Execution (MS07-021), SecuriTeam
Next by Date:  [NT] AOL AIM and ICQ File Transfer Path-Traversal, SecuriTeam
Previous by Thread:  [NT] CSRSS Remote Code Execution (MS07-021), SecuriTeam
Next by Thread:  [NT] AOL AIM and ICQ File Transfer Path-Traversal, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]