[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030910041946.GJ732@spoofed.org>
From: warchild at spoofed.org (Jon Hart)
Subject: Apache::Gallery local webserver compromise, privilege escalation
On Mon, Sep 08, 2003 at 08:21:13PM -0400, Jon Hart wrote:
> Thanks to Michael Legart, Andreas Plesner and the rest of the
> Apache::Gallery team for a prompt response and fix. You can get the latest
> version of Apache::Gallery which fixes this problem by removing Inline::C
> at:
>
> http://svn.apachegallery.dk/snapshots/
Just as a quick follow up,
A::G 0.7 has been released, which includes among other things the
removal of Inline::C.
If upgrading to 0.7 is not possible, simply change the call to Inline on
line 27 of Gallery.pm to something like:
use Inline (C => Config =>
LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
INC => '-I/usr/X11R6/include',
UNTAINT => 1,
DIRECTORY => "/some/path/"
);
Where /some/path is a "secure" path that only the user the gallery runs
as has access to, like $apacheroot/gallery/Inline. Of course this isn't
the most elegant fix, but it will save you if 0.7 isn't possible or
desirable.
Thanks to a tip from a colleague of mine, the following entry in crontab
will help you to beat the race condition of getting the files removed:
@reboot /path/to/exploit/exploit.sh
Where exploit.sh contains something like:
#!/bin/sh
mkdir -p /tmp/lib/auto/Apache/Gallery_4033
cp ~/exploits/Gallery* /tmp/lib/auto/Apache/Gallery_4033
The next time the machine is rebooted, as soon as cron is started, your
exploit script will be run. This should work on most Linux
distributions.
-jon
Powered by blists - more mailing lists