[UNIX] Apache Local User to Root Escalation
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 26 Mar 2007 22:18:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache Local User to Root Escalation
------------------------------------------------------------------------
SUMMARY
A vulnerability in way debian's version of Apache handles cttys allows
local users to gain elevated privileges if the root has manually restarted
the Apache service.
DETAILS
Vulnerable Systems:
* Apache version 1.3.34-4 (Debian only)
Unlike every other daemon, apache does not abdicate its controlling tty on
startup, and allows it to be inherited by a cgi script (for example, a
local user's CGI executed using suexec). When apache is manually
restarted, the inherited ctty is the stdin of the (presumably root) shell
that invoked the new instance of apache. Any process is permitted to
invoke the TIOCSTI ioctl on the fd corresponding to its ctty, which allows
it to inject characters that appear to come from the terminal master.
Thus, a user created CGI script can inject and have executed any input
into the shell that spawned apache.
ADDITIONAL INFORMATION
The information has been provided by <mailto:ret28@xxxxxxxxx> Richard
Thrippleton.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] hpaftpd Multiple Buffer Overflows
- Previous by thread: [NEWS] hpaftpd Multiple Buffer Overflows
- Index(es):
Relevant Pages
- [EXPL] Apache mod_rewrite Off-By-One (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... found in mod_rewrite apache
module to the bugtraq mailing list. ... raised when mod_rewrite is dealing with an LDAP
URL, ... # Vulnerability discovered by Mark Dowd. ... (Securiteam) - [NEWS] Apache Multiple Injection Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Apache Multiple Injection Vulnerabilities
... Apache is the most widely deployed web server in the Internet. ... (Securiteam) - [UNIX] Apache HTTPd Arbitrary Long HTTP Headers DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The <http://httpd.apache.org/>
Apache Software Foundation's HTTP Server ... * Apache web server version 2.0.49, ...
It is possible to consume arbitrary amount of memory using a specially ... (Securiteam) - [NEWS] Apache "mod_rewrite" LDAP URI Handling Remote Off-By-One Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability has been identified
in Apache, ... which could be exploited by remote attackers to execute arbitrary
... Off-by-one error in the the LDAP scheme handling in the Rewrite module ... (Securiteam)
