linux, säkerhet

10657416 2003-09-07 19:46 -0400 /65 rader/ Jon Hart <warchild@spoofed.org>
Importerad: 2003-09-08 20:12 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28861>
Ärende: Apache::Gallery local webserver compromise, privilege escalation
------------------------------------------------------------
From: Jon Hart <warchild@spoofed.org>
To: bugtraq@securityfocus.com
Message-ID: <20030907234633.GD4575@spoofed.org>

Greetings,

Apache::Gallery (http://apachegallery.dk) is a free and popular perl
module that, in combination with mod_perl and Apache, provides a
powerful and customizable web gallery of your photographs.

A::G unfortunately misuse Inline::C to created shared libraries.  From the
Inline::C documentation:

	"It is probably best to have a separate '.Inline/' directory
	for each project that you are working on. You may want to
	keep stable code in the <.Inline/> in your home directory. On
	multi-user systems, each user should have their own
	'.Inline/' directories. It could be a security risk to put
	the directory in a shared place like "/tmp/"."

At line 27 in Gallery.pm, we see the following:

	use Inline (C => Config =>
            LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
				INC => '-I/usr/X11R6/include',
				UNTAINT => 1,
				DIRECTORY =>
				File::Spec->tmpdir()
				);

File::Spec->tmpdir() returns the first writable temporary directory.
On most UNIX platforms, this will return /tmp or $ENV{TMPDIR}, which
is almost always world writable.

Once this directory is found, a series of predictable filenames and
directories are created.  On my test systems, this was always:

	$  ls /tmp/lib/auto/Apache/Gallery_4033 
	Gallery_4033.bs  Gallery_4033.inl  Gallery_4033.so

Since /tmp is world writable, if we can inject the proper files into
/tmp/lib/auto/Apache/Gallery_4033 before the Apache process does, we
can get it to load our own malicious shared libraries.

The one thing that makes this attack difficult is that you'll likely
need to get /tmp/lib cleared first.  However, this directory will
likely get cleared on reboot, so a malicious local attacker need only
wait until that time.  What results is a privilege escalation attack
to the uid of the user running the webserver, which is typically
apache/www/nobody or a normal user if suEXEC or something like
cgiwrap is in use.

You can find a sample exploit at:

	http://spoofed.org/files/Gallery_4033.c

Thanks to Michael Legart, Andreas Plesner and the rest of the
Apache::Gallery team for a prompt response and fix.  You can get the
latest version of Apache::Gallery which fixes this problem by
removing Inline::C at:

	http://svn.apachegallery.dk/snapshots/

-jon
(10657416) /Jon Hart <warchild@spoofed.org>/(Ombruten)