Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: web5733.htm

Apache permits process shutdown with scripting via shared memory scoreboard



4th Oct 2002 [SBWID-5733]
COMMAND

	Apache  permits  process  shutdown  with  scripting  via  shared  memory
	scoreboard

SYSTEMS AFFECTED

	Apache 1.3.x

PROBLEM

	Thanks to zen-parse [zen-parse@gmx.net]  who  disclosed  this  issue  to
	iDEFENSE, David Endler [dendler@idefense.com]  [http://www.idefense.com]
	posted :
	

	Apache HTTP  Server  contains  a  vulnerability  in  its  shared  memory
	scoreboard. Attackers who can execute commands under the Apache UID  can
	either send a (SIGUSR1) signal to any process as  root,  in  most  cases
	killing the process, or launch a local denial of service (DoS) attack.
	

	Exploitation requires execute permission under the Apache UID. This  can
	be obtained by  any  local  user  with  a  legitimate  Apache  scripting
	resource (ie:  PHP,  Perl),  exploiting  a  vulnerability  in  web-based
	applications written in the above example languages, or through the  use
	of some other local/remote Apache exploit.
	

	Once such a status is attained, the attacker  can  then  attach  to  the
	httpd daemon's 'scoreboard', which is stored in a shared memory  segment
	owned by Apache. The attacker can then cause  a  DoS  condition  on  the
	system by continuously filling the table with null  values  and  causing
	the server to spawn new children.
	

	The attacker also has the ability to send any process a  SIGUSR1  signal
	as  root.  This  is  accomplished  by   continuously   overwriting   the
	parent[].pid and parent[].last_rtime segments within the  scoreboard  to
	the pid of the target process and a time in the past.  When  the  target
	pid receives the signal SIGUSR1, it will react according to  how  it  is
	designed to manage  the  signal.  According  to  the  man  page  (man  7
	signal), if the signal is un-handled  then  the  default  action  is  to
	terminate:
	

	     ...

	     SIGUSR1 30,10,16 A User-defined signal 1

	     ...

	     The letters in the "Action" column have the following meanings:

	

	     A Default action is to terminate the process.

	     ...

	

	iDEFENSE successfully terminated arbitrary  processes,  including  those
	that "kicked" people off the system.

SOLUTION

	Apache HTTP Server 1.3.27 fixes this problem. It should be available  on
	October 3 at :
	

	 http://www.apache.org/dist/httpd/

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH