Apache httpd local DOS when serving pipes due to TOCTOU
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Expired
|
Low
|
Unassigned |
Bug Description
There seems to be a low priority local denial of service when apache is serving files from a user-modificable location. When the user is quickly replacing a file by a pipe with the same name, httpd will open the pipe causing the process to block.
Basically, the problem is the same as in http://
cd /var/www
dd if=/dev/zero bs=4k count=1 of=file
mknod pipe p
./RenameLoop file empty pipe
Retrieve /file from remote until apache gets stuck.
Ubuntu security was informed 20110715, no reply so far. Issue could be combined with other buffer-
# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10
# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
Installed: 2.2.19-1ubuntu1
Candidate: 2.2.19-1ubuntu1
Version table:
*** 2.2.19-1ubuntu1 0
500 http://
100 /var/lib/
information type: | Private Security → Public Security |
Changed in apache2 (Ubuntu): | |
assignee: | Jamie Strandboge (jdstrand) → nobody |
Refs: /bugs.launchpad .net/ubuntu/ +source/ apache2/ +bug/811422 /bugs.launchpad .net/ubuntu/ +source/ apache2/ +bug/811428
* Buffer overflow + timerace, hard to exploit without timing control: https:/
* Symlink issue to get memory maps: https:/