[Bug 811428] [NEW] Apache does not honor -FollowSymlinks due to TOCTOU, which allows access to /proc/<pid>/ files

[halfdog]

Public bug reported:

Apache 2.2.19 worker contains a TOCTOU problem when -FollowSymlinks is
configured, causing it to follow the link to any location. This does
only occur when a user other than www-data is allowed to modify parts of
the filesystem data currently served by apache, e.g. the user's personal
web-space. Use POC from
http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ to
dump /proc/<pid>/maps. Direct read from /proc/<pid>/mem using range
headers did not succeed on linux 3.0 kernel due to permission settings
in proc, but might be useful to get apache memory, e.g. SSL-keys, on
other architectures.

Ubuntu security was informed 20110625, reply:

========

httpd has never claimed (or attempted) to implement any security
restriction on following symlinks. This is mentioned in the current docs
for Options:

  http://httpd.apache.org/docs/2.2/mod/core.html#options

"symlink testing is subject to race conditions that make it
circumventable"

You have some discussion in your document of the perspective.  httpd's
support for running children as a less-privileged non-root user allows
admins to restrict the capabilities of those children.  It is a
misconfiguration if the less-privileged user is allowed access to
privileged files; there is little httpd itself can to do prevent (or
detect) that situation.

Similarly, it is the admin's responsibility to consider what escalation
of privileges is possible by allowing less-trusted users to author
content.

=========


Still, it can be used to read /proc/<pid>/maps memory layout from remote, which might be handy, e.g. when exploiting the apache buffer overflow from https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422

Not flagged a security-issue, due to response from apache.org.
Public disclosure http://seclists.org/fulldisclosure/2011/Jun/488
Discussion if vulnerability on open-source-security http://seclists.org/oss-sec/2011/q3/68

# lsb_release -rd
Description:    Ubuntu oneiric (development branch)
Release:        11.10

# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
  Installed: 2.2.19-1ubuntu1
  Candidate: 2.2.19-1ubuntu1
  Version table:
 *** 2.2.19-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/811428

Title:
  Apache does not honor -FollowSymlinks due to TOCTOU, which allows
  access to /proc/<pid>/ files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811428/+subscriptions