Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Apache mod_perl File Descriptor Leak May Let Local Users Hijack the http and https Services |
|---|
Categorie: Vulnerability
Posted: 2004-01-26 by ReCall
Views: 368
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: A vulnerability was reported in mod_perl for the Apache web server. A local user can hijack the Apache http and https services.
Steve Grubb reported that mod_perl leaks critical file descriptors when running on Apache 2.0.x. A local user can create a Perl CGI application that can cause Apache to leak a descriptor and then can take control of the affected service.
A demonstration exploit:
The technique is simple.
1) Fork and daemonize yourself.
2) Do something evil to apache.
2) Select on the leaked descriptor and start serving pages.
At the end of this advisory is a proof-of-concept program that you can run under mod_perl. It is assumed that paying customers can ftp anything they want into their website and mod_perl scripting is enabled
.
cp mod_perl-sploit.pl /var/www/perl
lynx http://localhost/perl/mod_perl-sploit.pl
Now, ps -ef to see how things are going:
apache 3107 2652 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
apache 3108 2640 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
So far, so good...
lynx http://localhost
And you should see the "You're owned" message. The really sneaky part is that 'ps -ef' give
s only a minor hint that apache has been
replaced. The only way to tell something is abnormal is that there's only 2 apache instances when a normal Mandrake server in its default configuration shows 5 instances. But, forking off a few decoy children should be easy enough to do.
This was tested on a fully updated Mandrake 9.2 system.
One other side note, env_audit only showed the normal 3 open descriptors when run on a Red Hat 9 machine. This would indicate a difference in the implementation of mod_perl between the 2 distributions.
Because env_audit is run as an exec'd program, it may not be able to "see" all the descript
ors that are available to native mod_perl
programs.
Impact: A local user with CGI script permissions can take control of the running Apache http or https daemon.
Solution: No solution was available at the time of this entry.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=672
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
