[Bug 811428] [NEW] Apache does not honor -FollowSymlinks due to TOCTOU, which allows access to /proc/<pid>/ files
halfdog
me at halfdog.net
Sat Jul 16 08:55:17 UTC 2011
Public bug reported:
Apache 2.2.19 worker contains a TOCTOU problem when -FollowSymlinks is
configured, causing it to follow the link to any location. This does
only occur when a user other than www-data is allowed to modify parts of
the filesystem data currently served by apache, e.g. the user's personal
web-space. Use POC from
http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ to
dump /proc/<pid>/maps. Direct read from /proc/<pid>/mem using range
headers did not succeed on linux 3.0 kernel due to permission settings
in proc, but might be useful to get apache memory, e.g. SSL-keys, on
other architectures.
Ubuntu security was informed 20110625, reply:
========
httpd has never claimed (or attempted) to implement any security
restriction on following symlinks. This is mentioned in the current docs
for Options:
http://httpd.apache.org/docs/2.2/mod/core.html#options
"symlink testing is subject to race conditions that make it
circumventable"
You have some discussion in your document of the perspective. httpd's
support for running children as a less-privileged non-root user allows
admins to restrict the capabilities of those children. It is a
misconfiguration if the less-privileged user is allowed access to
privileged files; there is little httpd itself can to do prevent (or
detect) that situation.
Similarly, it is the admin's responsibility to consider what escalation
of privileges is possible by allowing less-trusted users to author
content.
=========
Still, it can be used to read /proc/<pid>/maps memory layout from remote, which might be handy, e.g. when exploiting the apache buffer overflow from https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422
Not flagged a security-issue, due to response from apache.org.
Public disclosure http://seclists.org/fulldisclosure/2011/Jun/488
Discussion if vulnerability on open-source-security http://seclists.org/oss-sec/2011/q3/68
# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10
# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
Installed: 2.2.19-1ubuntu1
Candidate: 2.2.19-1ubuntu1
Version table:
*** 2.2.19-1ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
100 /var/lib/dpkg/status
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/811428
Title:
Apache does not honor -FollowSymlinks due to TOCTOU, which allows
access to /proc/<pid>/ files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811428/+subscriptions
More information about the Ubuntu-server-bugs
mailing list