Vulnerability Development mailing list archives

Apache 2.x leaked descriptors


From: Steve Grubb <linux_4ever () yahoo com>
Date: 21 Feb 2003 17:20:48 -0000



Hello,

I noticed a problem with apache 2.x back in October and contacted the 
apache security team with the problem. They've had about 4 months to do 
something with the problem but haven't seen fit to fix it yet. The last 
time I tried to status their progress no one replied to my query.

I was playing around with env_audit studying various properties of 
environments created for child processes. (Study is here -
http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I 
noticed that apache 2.x leaks 2 open descriptors for each website on a 
machine and the main access & error log for the daemon. These open 
descriptors go to the access and error log of each website.

It appears that every cgi environment has this problem. For example put 
this in a .shtml file:

<!--#exec cmd="ls -l /proc/$$/fd" -->

and open the page with your browser. (I know you can do much worse with 
#exec commands, but this illustrates these descriptors are *open* for 
business in a very common module.) If anyone has the ability to use a 
language on the server that can issues commands to an open descriptor,
there are many things that could happen. 

Sandboxes & Jails might not help unless they stat every descriptor between 
3 & OPENMAX-1 and close it. These descriptors are inherited open.

It is normal practice for webhosting companies to put multiple clients on 
the same machine. What kind of scripting capabilities they give you, if 
any, varies. If they give you *any* scripting capabilities and the machine 
runs apache 2.x, then cgi-bin programs can possibly: poison the logs of 
other sites on the same machine, place malicious content for log analysis 
programs, delete access log via ftruncate, see what pages or cgi-bins are 
being accessed on neighboring sites, or read anything dumped into error 
logs of neighboring websites. 

This could be a real problem when you consider the weblog analizers that 
read the access files. In the past, there have been vulnerable versions of 
these programs. It would appear that its possible to put bad entries in 
the logs that would affect the vulnerable log analizers.

I also looked at PHP, <http://bugs.php.net/bug.php?id=20302>, and found 
that it also leaks an open descriptor to the script being executed. This 
presents the opportunity to overwrite/modify a script being executed or 
even deleting the script.

There are so many apache modules that I'm sure there are more problems 
than what I listed in my report. Apache 1.3.27 is fine. The problems are 
only in 2.x which is what ships on Red Hat 8.0. Red Hat 8.0 does not ship 
an older version of apache. The env_audit program has been around for a 
couple of years, so I assume anyone with some curiosity & motivation 
already knows everything in the report or what I just mentioned. 

So, are there any possibilitiies with this problem?

-Steve Grubb


Current thread: