Re: [Full-disclosure] Apache 2.0.63 - 2.2.19 Remote Exploit Fake or not?



On 06/17/2011 11:56 AM, Kai wrote:
Claiming to gain root through a service that most people do not run as
root already makes me think that this fake.

do not forget about mpm-itk, mpm-peruser and analogs, when we have to
run apache as root.

True, and I cannot really say how many people use these
modules/functions. But nevertheless I assume it's not the majority. So I
assume claiming to have an exploit that gains root on any Apache without
making further restrictions to when it can be applied seems fake. In the
case of mpm-itk for example I think the impact of exploiting the forked
instance you talk to would be no more than gaining access at the level
of the user that owns the vhost, as the forked child will drop root
immediately and run under user's uid/gid. Of course it's still possible
to find a root hole somewhere in there, but then again I guess it would
be itk specific.


Best,

Chris

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Hardening a Solaris system.
    ... > I know files that execute with root permissions by normal users (e.g. ... > I've set up a web server, running Apache, so are thinking about what I ... > 4) Not installed any man pages, so someone not knowing a Solaris ... I suspect it's not possible to remove all ...
    (comp.unix.solaris)
  • [Full-disclosure] Security Alert - The OS X Zombies
    ... A number of OS X boxes have in fact been compromised. ... still others through their Apache servers. ... [Which all is hardly news for beleaguered Windows system administrators. ... Use of remote root login, especially to boxes connected to the ...
    (Full-Disclosure)
  • Re: Those pesky Apache permissions (was Re: (kein Betreff))
    ... ,only the root was the owner of that folder and root was the group owner.... ... If you have also good advices for books regarding apache webserver,i ... Adding the directory 'setuid group' flag is done by: ...
    (RedHat)
  • Re: Subversion web development question.
    ... Because /usr/local/www/apache22/data is owned by root. ... I know that you can configure Apache to point to any directory, but was unsure of the consequences of pointing it at directories outside of ... > The development server is at the data center. ... > looks for the document root in a 'cpr' in our home directory. ...
    (freebsd-questions)
  • setpeuid(pid_t, uid_t) proposal
    ... Apache sends and receives HTTP posts, ... Apache on the server must either a) run as root, ... The request comes with authentication information (in a number ... This daemon is highly audited and does one purpose, ...
    (Linux-Kernel)