Vuln Dev
Back to list
|
Post reply
Apache 2.x leaked descriptors
Feb 21 2003 05:20PM
Steve Grubb (linux_4ever yahoo com)
(3 replies)
Hello,
I noticed a problem with apache 2.x back in October and contacted the
apache security team with the problem. They've had about 4 months to do
something with the problem but haven't seen fit to fix it yet. The last
time I tried to status their progress no one replied to my query.
I was playing around with env_audit studying various properties of
environments created for child processes. (Study is here -
http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I
noticed that apache 2.x leaks 2 open descriptors for each website on a
machine and the main access & error log for the daemon. These open
descriptors go to the access and error log of each website.
It appears that every cgi environment has this problem. For example put
this in a .shtml file:
<!--#exec cmd="ls -l /proc/$$/fd" -->
and open the page with your browser. (I know you can do much worse with
#exec commands, but this illustrates these descriptors are *open* for
business in a very common module.) If anyone has the ability to use a
language on the server that can issues commands to an open descriptor,
there are many things that could happen.
Sandboxes & Jails might not help unless they stat every descriptor between
3 & OPENMAX-1 and close it. These descriptors are inherited open.
It is normal practice for webhosting companies to put multiple clients on
the same machine. What kind of scripting capabilities they give you, if
any, varies. If they give you *any* scripting capabilities and the machine
runs apache 2.x, then cgi-bin programs can possibly: poison the logs of
other sites on the same machine, place malicious content for log analysis
programs, delete access log via ftruncate, see what pages or cgi-bins are
being accessed on neighboring sites, or read anything dumped into error
logs of neighboring websites.
This could be a real problem when you consider the weblog analizers that
read the access files. In the past, there have been vulnerable versions of
these programs. It would appear that its possible to put bad entries in
the logs that would affect the vulnerable log analizers.
I also looked at PHP, <http://bugs.php.net/bug.php?id=20302>, and found
that it also leaks an open descriptor to the script being executed. This
presents the opportunity to overwrite/modify a script being executed or
even deleting the script.
There are so many apache modules that I'm sure there are more problems
than what I listed in my report. Apache 1.3.27 is fine. The problems are
only in 2.x which is what ships on Red Hat 8.0. Red Hat 8.0 does not ship
an older version of apache. The env_audit program has been around for a
couple of years, so I assume anyone with some curiosity & motivation
already knows everything in the report or what I just mentioned.
So, are there any possibilitiies with this problem?
-Steve Grubb
[ reply ]
Re: Apache 2.x leaked descriptors
Mar 13 2003 12:51PM
Joe Orton (jorton redhat com)
Re: Apache 2.x leaked descriptors
Feb 22 2003 10:46PM
jon schatz (jon divisionbyzero com)
(1 replies)
Re: Apache 2.x leaked descriptors
Feb 24 2003 12:46AM
David M. Wilson (dw-securityfocus com botanicus net)
(1 replies)
Re: Apache 2.x leaked descriptors
Feb 24 2003 09:58PM
Christian Kratzer (ck cksoft de)
(1 replies)
Re: Apache 2.x leaked descriptors
Feb 25 2003 05:27PM
Brian Hatch (vuln-dev ifokr org)
(1 replies)
Re: Apache 2.x leaked descriptors
Feb 25 2003 05:34PM
Christian Kratzer (ck cksoft de)
(1 replies)
Re: Apache 2.x leaked descriptors
Feb 26 2003 07:56PM
Bjoern A. Zeeb (bzeeb-lists lists zabbadoz net)
Re: Apache 2.x leaked descriptors
Feb 22 2003 12:43PM
Christian Kratzer (ck cksoft de)
Privacy Statement
Copyright 2010, SecurityFocus
Hello,
I noticed a problem with apache 2.x back in October and contacted the
apache security team with the problem. They've had about 4 months to do
something with the problem but haven't seen fit to fix it yet. The last
time I tried to status their progress no one replied to my query.
I was playing around with env_audit studying various properties of
environments created for child processes. (Study is here -
http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I
noticed that apache 2.x leaks 2 open descriptors for each website on a
machine and the main access & error log for the daemon. These open
descriptors go to the access and error log of each website.
It appears that every cgi environment has this problem. For example put
this in a .shtml file:
<!--#exec cmd="ls -l /proc/$$/fd" -->
and open the page with your browser. (I know you can do much worse with
#exec commands, but this illustrates these descriptors are *open* for
business in a very common module.) If anyone has the ability to use a
language on the server that can issues commands to an open descriptor,
there are many things that could happen.
Sandboxes & Jails might not help unless they stat every descriptor between
3 & OPENMAX-1 and close it. These descriptors are inherited open.
It is normal practice for webhosting companies to put multiple clients on
the same machine. What kind of scripting capabilities they give you, if
any, varies. If they give you *any* scripting capabilities and the machine
runs apache 2.x, then cgi-bin programs can possibly: poison the logs of
other sites on the same machine, place malicious content for log analysis
programs, delete access log via ftruncate, see what pages or cgi-bins are
being accessed on neighboring sites, or read anything dumped into error
logs of neighboring websites.
This could be a real problem when you consider the weblog analizers that
read the access files. In the past, there have been vulnerable versions of
these programs. It would appear that its possible to put bad entries in
the logs that would affect the vulnerable log analizers.
I also looked at PHP, <http://bugs.php.net/bug.php?id=20302>, and found
that it also leaks an open descriptor to the script being executed. This
presents the opportunity to overwrite/modify a script being executed or
even deleting the script.
There are so many apache modules that I'm sure there are more problems
than what I listed in my report. Apache 1.3.27 is fine. The problems are
only in 2.x which is what ships on Red Hat 8.0. Red Hat 8.0 does not ship
an older version of apache. The env_audit program has been around for a
couple of years, so I assume anyone with some curiosity & motivation
already knows everything in the report or what I just mentioned.
So, are there any possibilitiies with this problem?
-Steve Grubb
[ reply ]