From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Apr 2007 19:21:25 +0200
Subject: [UNIX] Apache HTTPD suEXEC Multiple Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070418045428.188605A4E@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache HTTPD suEXEC Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The <http://httpd.apache.org/docs/2.0/suexec.html > suexec binary is a
helper application which is part of the Apache HTTP server package. It is
designed to allow a script to run with the privileges of the owner of the
script instead the privileges of the server.
Local exploitation of multiple vulnerabilities within Apache Software
Foundation's suexec utility could allow an attacker to execute arbitrary
code as another user.
DETAILS
Vulnerable Systems:
* Apache httpd version 2.2.3 of the in Red Hat Inc.'s Fedora Core 4.
* (This distribution is not vulnerable in the default configuration, as
exploitation requires additional, but common, configuration changes to be
made to the system.)
* It is suspected that all previous versions of suexec are vulnerable,
including the 1.3.x versions.
1) Path Checking Race Condition Vulnerabilities
One race condition occurs between the obtaining the current directory and
changing to that directory. Another race condition occurs between changing
to a directory and checking that the directory is not a link. The
directory structure may change between each of these operations, which can
lead to the lstat() being performed on an arbitrary directory chosen by an
attacker. These may be exploited with by renaming a parent directory, or
by using symbolic links.
A third race condition occurs between the final symbolic link check and
executing the target binary. The directory structure may change between
these calls, rendering the symbolic link check ineffective.
2) Path Checking Design Error Vulnerabilities
The suexec utility uses a strncmp() to check whether the current directory
is a sub-directory of the document root directory. This check will succeed
in situations where there exists a directory which begins with the same
sequence, but contains extra content. For example, if the document root is
"/var/www/html", the test will also succeed for "/var/www/html_backup" and
"/var/www/htmleditor". A correct test would also perform a check that the
next character is a trailing null-terminator or directory separator.
A check performed does not verify whether a path to the CGI script (cmd)
is a regular file or not. If the path is pointing at a sub-directory owned
by the appropriate user and group, and the parent directory is owned by
the appropriate user and group, it will be accepted.
3) Arbitrary Group Id Input Validation Vulnerability
Due to a design error, the suexec binary permits any combination of
user/group values taken from command line parameters even if the user is
not a member of the specified group. This may be exploited in combination
with other vulnerabilities if the /proc file system is mounted. Each time
suexec drops its privileges and changes its UID and GID, all files and
directories under /proc/{PID} change their owner to the corresponding
values. As the suexec process changes its UID and GID unconditionally,
creating arbitrary UID and GID owned files is trivial.
Exploitation of these vulnerabilities would allow a local attacker to
execute arbitrary code with the privileges of another user.
In order to exploit this vulnerability, the user must already have access
to execute the suexec binary. The suexec binary is only able to be
executed by the same user as the web server, typically user 'httpd',
'apache' or 'nobody'. It may be possible to gain access to this user by
exploiting a CGI program, PHP script or other program on the server.
The binary also limits the users it will execute code as to those which
have user and group IDs greater than or equal to AP_UID_MIN and AP_GID_MIN
values respectively. These values are compiled into the executable.
These factors somewhat mitigate the severity of the problem.
Workaround:
If the suexec binary is not required for normal operation, remove the
set-uid bit from the file as shown below.
# chmod -s /path/to/suexec
Vendor Status:
The Apache Software Foundation HTTPD team declined to address the
vulnerabilities and instead provided the following vendor statement.
"The attacks described rely on an insecure server configuration - that the
unprivileged user the server runs as has write access to the document
root. The suexec tool cannot detect all possible insecure configurations,
nor can it protect against privilege "escalation" in all such cases.
It is important to note that to be able to invoke suexec, the attacker
must also first gain the ability to execute arbitrary code as the
unprivileged server user."
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1741>;
CVE-2007-1741
Disclosure Timeline:
* 02/08/2006 - Initial vendor notification
* 10/06/2006 - Second vendor notification
* 03/28/2007 - Third vendor notification
* 03/28/2007 - Initial vendor response
* 04/11/2007 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
