lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: warchild at spoofed.org (Jon Hart)
Subject: Apache::Gallery local webserver compromise, privilege escalation

Greetings,

Apache::Gallery (http://apachegallery.dk) is a free and popular perl module
that, in combination with mod_perl and Apache, provides a powerful and
customizable web gallery of your photographs.

A::G unfortunately misuse Inline::C to created shared libraries.  From the
Inline::C documentation:

	"It is probably best to have a separate '.Inline/' directory for each
	project that you are working on. You may want to
	keep stable code in the <.Inline/> in your home directory. On
	multi-user systems, each user should have their own '.Inline/'
	directories. It could be a security risk to put the directory in a
	shared place like "/tmp/"."

At line 27 in Gallery.pm, we see the following:

	use Inline (C => Config =>
            LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
				INC => '-I/usr/X11R6/include',
				UNTAINT => 1,
				DIRECTORY =>
				File::Spec->tmpdir()
				);

File::Spec->tmpdir() returns the first writable temporary directory.  On
most UNIX platforms, this will return /tmp or $ENV{TMPDIR}, which is almost
always world writable. 

Once this directory is found, a series of predictable filenames and
directories are created.  On my test systems, this was always:

	$  ls /tmp/lib/auto/Apache/Gallery_4033 
	Gallery_4033.bs  Gallery_4033.inl  Gallery_4033.so

Since /tmp is world writable, if we can inject the proper files into
/tmp/lib/auto/Apache/Gallery_4033 before the Apache process does, we can
get it to load our own malicious shared libraries.

The one thing that makes this attack difficult is that you'll likely need
to get /tmp/lib cleared first.  However, this directory will likely get
cleared on reboot, so a malicious local attacker need only wait until that
time.  What results is a privilege escalation attack to the uid of the user
running the webserver, which is typically apache/www/nobody or a normal
user if suEXEC or something like cgiwrap is in use. 

You can find a sample exploit at:

	http://spoofed.org/files/Gallery_4033.c

Thanks to Michael Legart, Andreas Plesner and the rest of the
Apache::Gallery team for a prompt response and fix.  You can get the latest
version of Apache::Gallery which fixes this problem by removing Inline::C
at:

	http://svn.apachegallery.dk/snapshots/

-jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ