Ubuntu
apache2 package

Apache does not honor -FollowSymlinks due to TOCTOU, which allows access to /proc/<pid>/ files

Bug #811428 reported by halfdog
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
High
Unassigned

Bug Description

Apache 2.2.19 worker contains a TOCTOU problem when -FollowSymlinks is configured, causing it to follow the link to any location. This does only occur when a user other than www-data is allowed to modify parts of the filesystem data currently served by apache, e.g. the user's personal web-space. Use POC from http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ to dump /proc/<pid>/maps. Direct read from /proc/<pid>/mem using range headers did not succeed on linux 3.0 kernel due to permission settings in proc, but might be useful to get apache memory, e.g. SSL-keys, on other architectures.

Ubuntu security was informed 20110625, reply:

========

httpd has never claimed (or attempted) to implement any security
restriction on following symlinks. This is mentioned in the current docs
for Options:

  http://httpd.apache.org/docs/2.2/mod/core.html#options

"symlink testing is subject to race conditions that make it circumventable"

You have some discussion in your document of the perspective. httpd's
support for running children as a less-privileged non-root user allows
admins to restrict the capabilities of those children. It is a
misconfiguration if the less-privileged user is allowed access to
privileged files; there is little httpd itself can to do prevent (or
detect) that situation.

Similarly, it is the admin's responsibility to consider what escalation
of privileges is possible by allowing less-trusted users to author
content.

=========

Still, it can be used to read /proc/<pid>/maps memory layout from remote, which might be handy, e.g. when exploiting the apache buffer overflow from https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422

Not flagged a security-issue, due to response from apache.org.
Public disclosure http://seclists.org/fulldisclosure/2011/Jun/488
Discussion if vulnerability on open-source-security http://seclists.org/oss-sec/2011/q3/68

# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10

# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
  Installed: 2.2.19-1ubuntu1
  Candidate: 2.2.19-1ubuntu1
  Version table:
 *** 2.2.19-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

Tags: server
Dave Walker (davewalker)
security vulnerability: no → yes
Changed in apache2 (Ubuntu):
importance: Undecided → High
Ursula Junque (ursinha)
tags: added: server
Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

This is an unsupported use-case of Apache httpd and I am pretty sure it won't be changed upstream. And I don't think Ubuntu or Debian should deviate from that, see http://seclists.org/oss-sec/2011/q3/111

Changed in apache2 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.