Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0240 -- [Win][UNIX/Linux] Apache HTTPD suEXEC Multiple Vulnerabilities 12 April 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: suEXEC Publisher: iDEFENSE Operating System: UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Existing Account CVE Names: CVE-2007-1741 Original Bulletin: http://labs.idefense.com/intelligence/vulnerabilities/ - --------------------------BEGIN INCLUDED TEXT-------------------- Apache HTTPD suEXEC Multiple Vulnerabilities iDefense Security Advisory 04.11.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 11, 2007 I. BACKGROUND The suexec binary is a helper application which is part of the Apache HTTP server package. It is designed to allow a script to run with the privileges of the owner of the script instead the privileges of the server. More information about the suexec utility can be found at the following URL. http://httpd.apache.org/docs/2.0/suexec.html II. DESCRIPTION Local exploitation of multiple vulnerabilities within Apache Software Foundation's suexec utility could allow an attacker to execute arbitrary code as another user. 1) Path Checking Race Condition Vulnerabilities One race condition occurs between the obtaining the current directory and changing to that directory. Another race condition occurs between changing to a directory and checking that the directory is not a link. The directory structure may change between each of these operations, which can lead to the lstat() being performed on an arbitrary directory chosen by an attacker. These may be exploited with by renaming a parent directory, or by using symbolic links. A third race condition occurs between the final symbolic link check and executing the target binary. The directory structure may change between these calls, rendering the symbolic link check ineffective. 2) Path Checking Design Error Vulnerabilities The suexec utility uses a strncmp() to check whether the current directory is a sub-directory of the document root directory. This check will succeed in situations where there exists a directory which begins with the same sequence, but contains extra content. For example, if the document root is "/var/www/html", the test will also succeed for "/var/www/html_backup" and "/var/www/htmleditor". A correct test would also perform a check that the next character is a trailing null-terminator or directory separator. A check performed does not verify whether a path to the CGI script (cmd) is a regular file or not. If the path is pointing at a sub-directory owned by the appropriate user and group, and the parent directory is owned by the appropriate user and group, it will be accepted. 3) Arbitrary Group Id Input Validation Vulnerability Due to a design error, the suexec binary permits any combination of user/group values taken from command line parameters even if the user is not a member of the specified group. This may be exploited in combination with other vulnerabilities if the /proc file system is mounted. Each time suexec drops its privileges and changes its UID and GID, all files and directories under /proc/{PID} change their owner to the corresponding values. As the suexec process changes its UID and GID unconditionally, creating arbitrary UID and GID owned files is trivial. III. ANALYSIS Exploitation of these vulnerabilities would allow a local attacker to execute arbitrary code with the privileges of another user. In order to exploit this vulnerability, the user must already have access to execute the suexec binary. The suexec binary is only able to be executed by the same user as the web server, typically user 'httpd', 'apache' or 'nobody'. It may be possible to gain access to this user by exploiting a CGI program, PHP script or other program on the server. The binary also limits the users it will execute code as to those which have user and group IDs greater than or equal to AP_UID_MIN and AP_GID_MIN values respectively. These values are compiled into the executable. These factors somewhat mitigate the severity of the problem. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in the suexec binary distributed with the version 2.2.3 of the Apache httpd in Red Hat Inc.'s Fedora Core 4. This distribution is not vulnerable in the default configuration, as exploitation requires additional, but common, configuration changes to be made to the system. It is suspected that all previous versions of suexec are vulnerable, including the 1.3.x versions. V. WORKAROUND If the suexec binary is not required for normal operation, remove the set-uid bit from the file as shown below. # chmod -s /path/to/suexec VI. VENDOR RESPONSE The Apache Software Foundation HTTPD team declined to address the vulnerabilities and instead provided the following vendor statement. "The attacks described rely on an insecure server configuration - that the unprivileged user the server runs as has write access to the document root. The suexec tool cannot detect all possible insecure configurations, nor can it protect against privilege "escalation" in all such cases. It is important to note that to be able to invoke suexec, the attacker must also first gain the ability to execute arbitrary code as the unprivileged server user." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1741 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/08/2006 Initial vendor notification 10/06/2006 Second vendor notification 03/28/2007 Third vendor notification 03/28/2007 Initial vendor response 04/11/2007 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRh28Tih9+71yA2DNAQJcVwP/Ung4x5taxxJxqDzJChq4uI1aShNuadEy BnuKr4fffvEbAAe0t+7XJr2S52uHJ5VqnXP/VmxDEqiMTqX8uUB0CKEO5ztYZk1Q z54j/iStE/pOV10PJxSw2FQ2dMNxm8Labv8pt1Rdrr6j4N2y7aPAqndBQ4HI1yU1 MELLzWojtGY= =5Fbg -----END PGP SIGNATURE-----