/usr/sbin/apachectl privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Opinion
|
Low
|
Slavik Anikeyev |
Bug Description
Dear all,
The /usr/sbin/apachectl script allows unprivileged local users to change the permissions of any directory to 0755 and in addition make the user www-data its owner.
The script has a line:
start)
...
install -d -o ${APACHE_
Since in Ubuntu the /var/lock directory has world-writable permissions, a user can create a symbolic link to any directory. An administrator then starts Apache through /etc/init.
Details:
=====
root@u32d:~# apt-cache policy apache2.2-common
apache2.2-common:
Installed: 2.2.22-1ubuntu1
Candidate: 2.2.22-1ubuntu1.2
Version table:
2.
500 http://
500 http://
*** 2.2.22-1ubuntu1 0
500 http://
100 /var/lib/
root@u32d:~# lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04
Steps to reproduce vulnerability on Ubuntu 12.04 LTS (also applicable to Quantal 12.10):
As an untrusted user, create a symbolic link in /var/lock to a directory the user does not have read/search permission (e.g., /root):
hayawardh@u32d:~$ ls -ld /root
drwx------. 14 root root 4096 Jan 24 08:23 /root
hayawardh@u32d:~$ cd /var/lock
hayawardh@
Wait for the administrator to start Apache
root@u32d:~# /etc/init.d/apache2 start
* Starting web server apache2
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
...done.
Now check permissions of /root:
root@u32d:~# ls -ld /root
drwxr-xr-x. 14 www-data root 4096 Jan 24 08:23 /root
Fixing this does not seem straightforward because install opens the file to change permissions (in this case, /var/lock/apache2) without O_NOFOLLOW, and there does not seem to be a command line switch for the same.
Portion of strace output for install -d -o ${APACHE_
mkdir("/var", 0755) = -1 EEXIST (File exists)
chdir("/var") = 0
mkdir("lock", 0755) = -1 EEXIST (File exists)
chdir("lock") = 0
mkdir("apache2", 0700) = -1 EEXIST (File exists)
open("apache2", O_RDONLY|
fstat64(3, {st_mode=
fchown32(3, 33, -1) = 0
fchmod(3, 0755) = 0
close(3) = 0
Thanks,
Hayawardh
CVE References
information type: | Private Security → Public Security |
Changed in apache2 (Ubuntu): | |
importance: | Undecided → Low |
Changed in apache2 (Ubuntu): | |
assignee: | nobody → Vyacheslav Anikeyev (slavik1991) |
status: | Confirmed → Opinion |
Confirmed, 12.10 dmesg reports:
[ 1602.905898] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.905907] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.906352] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.906355] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
Thanks Hayawardh