Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Apache mod_php File Descriptor Leak May Let Local Users Hijack the https Service |
|---|
Categorie: Vulnerability
Posted: 2003-12-29 by ReCall
Views: 447
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: A vulnerability was reported in Apache mod_php. A local user may be able to hijack the https service on the target system.
Steve Grubb reported that mod_php, when running with Apache 2.0.x, may leak a critical file descriptor in a manner that may allow a local user to take control of the Apache https service.
According to the report, mod_php leaks a number of file descriptors to the PHP script process. If a script calls an external application via the passthru(), exec(), or system() calls, the descriptors are reportedly leaked to the called program.
It is reported that the https listening descriptor is one descriptor that is leaked to PHP scripts. Because this descriptor is used by all web sites on a particular host system, a remote user with executable file upload privileges and PHP access (or a local user with PHP access) may be able to hijack the https service for all web sites operating on the target host.
A demonstration exploit script:
The technique is simple.
1) Fork and daemonize yourself.
2) Select on the leaked descriptor and start serving pages.
At the end of this advisory is a proof-of-concept program that you can run under mod_php. It is assum
ed that paying customers can
ftp anything they want into their website and mod_php scripting is enabled.
To see the problem first hand, compile the C code:
gcc -o leak-sploit leak-sploit.c -lssl
cp leak-sploit /var/www/html
cp install.php /var/www/html
cp foo-cert.pem /var/www/html
lynx http://localhost/install.php
Now, ps -ef to see how things are going:
root 18176 1 6 15:58 ? 00:00:01 /usr/sbin/httpd
apache 18180 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18181 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18182 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18183 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18184 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18191 1 0 15:58 ? 00:00:00 /var/www/html/leak-sploit
So far, so good...
lynx https://localhost
And you should see the "You're owned" message.
This was tested on a fully up2date Red Hat 8.0 & 9 system.
The vendor has reportedly been notified.
Impact: A local user may be able to hijack the https service. In certain cases, a remote user with executable file upload privileges and PHP
access may also be able to hijack the service.
Solution: No solution was available at the time of this entry.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=625
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
