lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030910041946.GJ732@spoofed.org>
From: warchild at spoofed.org (Jon Hart)
Subject: Apache::Gallery local webserver compromise, privilege escalation

On Mon, Sep 08, 2003 at 08:21:13PM -0400, Jon Hart wrote:
> Thanks to Michael Legart, Andreas Plesner and the rest of the
> Apache::Gallery team for a prompt response and fix.  You can get the latest
> version of Apache::Gallery which fixes this problem by removing Inline::C
> at:
> 
> 	http://svn.apachegallery.dk/snapshots/

Just as a quick follow up,

A::G 0.7 has been released, which includes among other things the
removal of Inline::C.

If upgrading to 0.7 is not possible, simply change the call to Inline on
line 27 of Gallery.pm to something like:

use Inline (C => Config => 
            LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
            INC => '-I/usr/X11R6/include',
            UNTAINT => 1,
            DIRECTORY => "/some/path/" 
          );

Where /some/path is a "secure" path that only the user the gallery runs
as has access to, like $apacheroot/gallery/Inline.  Of course this isn't
the most elegant fix, but it will save you if 0.7 isn't possible or
desirable.

Thanks to a tip from a colleague of mine, the following entry in crontab
will help you to beat the race condition of getting the files removed:

	@reboot	/path/to/exploit/exploit.sh

Where exploit.sh contains something like:

	#!/bin/sh
	mkdir -p /tmp/lib/auto/Apache/Gallery_4033
	cp ~/exploits/Gallery* /tmp/lib/auto/Apache/Gallery_4033

The next time the machine is rebooted, as soon as cron is started, your
exploit script will be run.  This should work on most Linux
distributions.

-jon


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ