Apache 2.x leaked descriptors

From: Steve Grubb (linux_4ever@yahoo.com)
Date: 02/21/03

  • Next message: sekure@hadrion.com.br: "Paper of insecure in PHP... and doubt in SQL-Injection" 
    Date: 21 Feb 2003 17:20:48 -0000
From: Steve Grubb <linux_4ever@yahoo.com>
To: vuln-dev@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hello,

    I noticed a problem with apache 2.x back in October and contacted the
    apache security team with the problem. They've had about 4 months to do
    something with the problem but haven't seen fit to fix it yet. The last
    time I tried to status their progress no one replied to my query.

    I was playing around with env_audit studying various properties of
    environments created for child processes. (Study is here -
    http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I
    noticed that apache 2.x leaks 2 open descriptors for each website on a
    machine and the main access & error log for the daemon. These open
    descriptors go to the access and error log of each website.

    It appears that every cgi environment has this problem. For example put
    this in a .shtml file:

    <!--#exec cmd="ls -l /proc/$$/fd" -->

    and open the page with your browser. (I know you can do much worse with
    #exec commands, but this illustrates these descriptors are *open* for
    business in a very common module.) If anyone has the ability to use a
    language on the server that can issues commands to an open descriptor,
    there are many things that could happen.

    Sandboxes & Jails might not help unless they stat every descriptor between
    3 & OPENMAX-1 and close it. These descriptors are inherited open.

    It is normal practice for webhosting companies to put multiple clients on
    the same machine. What kind of scripting capabilities they give you, if
    any, varies. If they give you *any* scripting capabilities and the machine
    runs apache 2.x, then cgi-bin programs can possibly: poison the logs of
    other sites on the same machine, place malicious content for log analysis
    programs, delete access log via ftruncate, see what pages or cgi-bins are
    being accessed on neighboring sites, or read anything dumped into error
    logs of neighboring websites.

    This could be a real problem when you consider the weblog analizers that
    read the access files. In the past, there have been vulnerable versions of
    these programs. It would appear that its possible to put bad entries in
    the logs that would affect the vulnerable log analizers.

    I also looked at PHP, <http://bugs.php.net/bug.php?id=20302>, and found
    that it also leaks an open descriptor to the script being executed. This
    presents the opportunity to overwrite/modify a script being executed or
    even deleting the script.

    There are so many apache modules that I'm sure there are more problems
    than what I listed in my report. Apache 1.3.27 is fine. The problems are
    only in 2.x which is what ships on Red Hat 8.0. Red Hat 8.0 does not ship
    an older version of apache. The env_audit program has been around for a
    couple of years, so I assume anyone with some curiosity & motivation
    already knows everything in the report or what I just mentioned.

    So, are there any possibilitiies with this problem?

    -Steve Grubb

    Relevant Pages

    • Re: perl
      ... That will execute the script if the script is there (ie the path is ... then there is nothing wrong with Apache. ... program files opposed to programfiles ... > I checked the error log and My error logs says as reads below ...
      (perl.beginners)
    • Re: Mystery of increasing disk usage
      ... but have not had all references to them closed (i.e. ... file descriptors). ... that had been deleted but Apache didn't know about that... ... A solution might be searching with fstat or lsof... ...
      (freebsd-questions)
    • Re: apache problem
      ... I'm unable to reproduce this on my 1.3.26 ... > Subject: Re: apache problem ... > This causes the cpu to reach 100% and the httpd process consumes all ... >> Few minutes before in error log: ...
      (Incidents)
    • Update: tomcat startup
      ... we run Apache on this system, it is not for the benefit of tomcat. ... The relevant extract of the init script now looks like this: ... I get the expected tomcat startup lines in /tmp/tomcat_start.log. ...
      (Tru64-UNIX-Managers)
    • Re: HELP: send binary replies back and forth ???
      ... > My php application needs to do the following: ... > My PHP script loops through all records and sends each of them ONE BY ONE. ... > other than to be able to communicate with apache. ... All communication is binary because the connection used is pricy and ...
      (comp.lang.php)