Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: bt1017.txt

Apache::Gallery local webserver compromise, privilege escalation





Greetings,

Apache::Gallery (http://apachegallery.dk) is a free and popular perl module
that, in combination with mod_perl and Apache, provides a powerful and
customizable web gallery of your photographs.

A::G unfortunately misuse Inline::C to created shared libraries.  From the
Inline::C documentation:

	"It is probably best to have a separate '.Inline/' directory for each
	project that you are working on. You may want to
	keep stable code in the <.Inline/> in your home directory. On
	multi-user systems, each user should have their own '.Inline/'
	directories. It could be a security risk to put the directory in a
	shared place like "/tmp/"."

At line 27 in Gallery.pm, we see the following:

	use Inline (C => Config =>
            LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
				INC => '-I/usr/X11R6/include',
				UNTAINT => 1,
				DIRECTORY =>
				File::Spec->tmpdir()
				);

File::Spec->tmpdir() returns the first writable temporary directory.  On
most UNIX platforms, this will return /tmp or $ENV{TMPDIR}, which is almost
always world writable. 

Once this directory is found, a series of predictable filenames and
directories are created.  On my test systems, this was always:

	$  ls /tmp/lib/auto/Apache/Gallery_4033 
	Gallery_4033.bs  Gallery_4033.inl  Gallery_4033.so

Since /tmp is world writable, if we can inject the proper files into
/tmp/lib/auto/Apache/Gallery_4033 before the Apache process does, we can
get it to load our own malicious shared libraries.

The one thing that makes this attack difficult is that you'll likely need
to get /tmp/lib cleared first.  However, this directory will likely get
cleared on reboot, so a malicious local attacker need only wait until that
time.  What results is a privilege escalation attack to the uid of the user
running the webserver, which is typically apache/www/nobody or a normal
user if suEXEC or something like cgiwrap is in use. 

You can find a sample exploit at:

	http://spoofed.org/files/Gallery_4033.c

Thanks to Michael Legart, Andreas Plesner and the rest of the
Apache::Gallery team for a prompt response and fix.  You can get the latest
version of Apache::Gallery which fixes this problem by removing Inline::C
at:

	http://svn.apachegallery.dk/snapshots/

-jon


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH