lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 26 Feb 2007 21:15:48 +0200 (EET)
From: "Nikolay Kichukov" <hijacker@...um.net>
To: "Richard Thrippleton" <ret28@....ac.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Local user to root escalation in apache
 1.3.34 (Debian only)

Lool,
how long has this bug been around?

Sounds scary.

-nik

On Mon, February 26, 2007 8:11 pm, Richard Thrippleton wrote:
> Version 1.3.34-4 of Apache in the Debian Linux distribution contains a
> hole that allows a local user to access a root shell if the webserver has
> been restarted manually. This bug does not exist in the upstream apache
> distribution, and was patched in specifically by the Debian distribution.
> The
> bug report is located at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357561 . At the time of
> writing (over a month since the root hole was clarified), there has been
> no official acknowledgement. It is believed that most of the developers
> are tied up in more urgent work, getting the TI-86 distribution of Debian
> building in time for release.
>
> Unlike every other daemon, apache does not abdicate its controlling tty
> on startup, and allows it to be inherited by a cgi script (for example, a
> local user's CGI executed using suexec). When apache is manually
> restarted, the inherited ctty is the stdin of the (presumably root) shell
> that invoked the new instance of apache. Any process is permitted to
> invoke the TIOCSTI ioctl on the fd corresponding to its ctty, which allows
> it to inject characters that appear to come from the terminal master.
> Thus, a user created CGI script can inject
> and have executed any input into the shell that spawned apache.
>
> As a Debian user, this concerns me greatly, as any non-privileged user
> would be able to install non-free documentation (GFDL) on any system I
> run.
>
> Richard
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ