[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1099.192.168.0.6.1172517348.squirrel@mail.oldum.net>
Date: Mon, 26 Feb 2007 21:15:48 +0200 (EET)
From: "Nikolay Kichukov" <hijacker@...um.net>
To: "Richard Thrippleton" <ret28@....ac.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Local user to root escalation in apache
1.3.34 (Debian only)
Lool,
how long has this bug been around?
Sounds scary.
-nik
On Mon, February 26, 2007 8:11 pm, Richard Thrippleton wrote:
> Version 1.3.34-4 of Apache in the Debian Linux distribution contains a
> hole that allows a local user to access a root shell if the webserver has
> been restarted manually. This bug does not exist in the upstream apache
> distribution, and was patched in specifically by the Debian distribution.
> The
> bug report is located at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357561 . At the time of
> writing (over a month since the root hole was clarified), there has been
> no official acknowledgement. It is believed that most of the developers
> are tied up in more urgent work, getting the TI-86 distribution of Debian
> building in time for release.
>
> Unlike every other daemon, apache does not abdicate its controlling tty
> on startup, and allows it to be inherited by a cgi script (for example, a
> local user's CGI executed using suexec). When apache is manually
> restarted, the inherited ctty is the stdin of the (presumably root) shell
> that invoked the new instance of apache. Any process is permitted to
> invoke the TIOCSTI ioctl on the fd corresponding to its ctty, which allows
> it to inject characters that appear to come from the terminal master.
> Thus, a user created CGI script can inject
> and have executed any input into the shell that spawned apache.
>
> As a Debian user, this concerns me greatly, as any non-privileged user
> would be able to install non-free documentation (GFDL) on any system I
> run.
>
> Richard
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists