lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050111114254.GA23077@cecilija.zesoi.fer.hr>
Date: Tue, 11 Jan 2005 12:42:54 +0100
From: LSS Security <exposed@....hr>
To: bugtraq@...urityfocus.com
Subject: Mod_dosevasive symlink and race vulnerability



                          LSS Security Advisory #LSS-2005-01-01

			       http://security.lss.hr


---

Title		    : Mod_dosevasive symlink and race vulnerability
Advisory ID	    : LSS-2005-01-4
Date		    : January 1th, 2005
Advisory URL:	    : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01
Impact		    : Arbitrary file creation
Risk level  	    : Low
Vulnerability type  : Local
Vendors contacted   : December 16th, 2004.

---



==[ Overview

>From mod_dosevasive's web site (http://www.nuclearelephant.com/projects/dosevasive/):

Mod_dosevasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack. 
It is also designed to be a detection and network management tool, and can
be easily configured to talk to ipchains, firewalls, routers etc.
Mod_dosevasive presently reports abuses via email and syslog facilities.



==[ Vulnerability

When a denial of service attack is detected, mod_dosevasive will, among 
other things, create a temporary file which it will use to trace actions
from the offensive IP address. This file is insecurely created in /tmp and
it's name is easily predictable.

The attacker knows exactly which name the file will have:

...
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
...

So, if the attack is coming from 127.0.0.1, mod_dosevasive will create
/tmp/dos-127.0.0.1 file.

1) Symlink attack

It is then easy for an attacker to create arbitrary files in any directory
that the user under which apache runs has privileges to write.
For example:

[bojanz@...t bojanz]$ ls -ld /var/www
drwxr-xr-x    6 root     root         4096 Nov  6 04:59 /var/www
[bojanz@...d bojanz]$ cd /tmp
[bojanz@...d tmp]$ ln -s /var/www/html/poc_file dos-127.0.0.1 
[bojanz@...d tmp]$ ls -l /var/www/html/poc_file
ls: /var/www/html/poc_file: No such file or directory
[bojanz@...d tmp]$ perl ./dos.pl        # this script performs a simple DoS attack
[bojanz@...d tmp]$ ls -l /var/www/html/poc_file
-rw-r--r--    1 apache   apache          6 Dec 14 11:53 /var/www/html/poc_file

Mod_dosevasive will check if the target file exists and will not overwrite it,
so the vulnerability #1 just allows creation of arbitrary files in directories
that the user under which apache runs has privileges to write.
Files contain PID of the child process and the attacker can't modify them.

2) Race attack

However, once the target file is opened, there is a race attack (although
difficult to exploit) which can lead to mod_dosevasive overwriting any 
file that the user under which apache runs has privileges to write.

>From the source:

...
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
/* Race vulnerability */
if (stat(filename, &s)) {
 file = fopen(filename, "w");
...



===[ Affected versions

All available versions of mod_security are affected, including the latest
CVS version (1.9).



===[ Fix

Real fix would be to rewrite the code which opens the file, however, in 
absence of that, easy and quick fix is to create a directory that only the
user under which apache runs has privileges to write and to use that 
directory to create mod_dosevasive temporary files in.
In order to use a different directory, only one line in the source code has
to be changed:

snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
                                      ^^^^^


===[ PoC Exploit

No PoC required.



===[ Credits

This vulnerability was found by LSS Security Team.



===[ LSS Security Contact

 LSS Security Team, <eXposed by LSS>

 WWW    : http://security.lss.hr
 E-mail : security@....hr
 Tel	: +385 1 6129 775
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ