ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Fwd: [Full-disclosure] Local user to root escalation in apache 1.3.34 (Debian only)




--This is a forwarded message
From: Richard Thrippleton <ret28@xxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx <full-disclosure@xxxxxxxxxxxxxxxxx>
Date: Monday, February 26, 2007, 9:11:23 PM
Subject: [Full-disclosure] Local user to root escalation in apache 1.3.34 
(Debian only)

===8<==============Original message text===============
Version 1.3.34-4 of Apache in the Debian Linux distribution contains a hole
that allows a local user to access a root shell if the webserver has been
restarted manually. This bug does not exist in the upstream apache
distribution, and was patched in specifically by the Debian distribution. The
bug report is located at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357561 . At the time of
writing (over a month since the root hole was clarified), there has been no
official acknowledgement. It is believed that most of the developers are tied
up in more urgent work, getting the TI-86 distribution of Debian building in
time for release.

Unlike every other daemon, apache does not abdicate its controlling tty on
startup, and allows it to be inherited by a cgi script (for example, a local
user's CGI executed using suexec). When apache is manually restarted, the
inherited ctty is the stdin of the (presumably root) shell that invoked the new
instance of apache. Any process is permitted to invoke the TIOCSTI ioctl on the
fd corresponding to its ctty, which allows it to inject characters that appear
to come from the terminal master. Thus, a user created CGI script can inject
and have executed any input into the shell that spawned apache.

As a Debian user, this concerns me greatly, as any non-privileged user would be
able to install non-free documentation (GFDL) on any system I run.

Richard

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

===8<===========End of original message text===========


-- 
~/ZARAZA
üîéáëÁÍ - ÐÏ ÍÏÒÄÅ!  (ìÅÍ)




 




Copyright © Lexa Software, 1996-2009.