Apache does not honor -FollowSymlinks due to TOCTOU, which allows access to /proc/<pid>/ files

Bug #811428 reported by halfdog on 2011-07-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Unassigned

Bug Description

Apache 2.2.19 worker contains a TOCTOU problem when -FollowSymlinks is configured, causing it to follow the link to any location. This does only occur when a user other than www-data is allowed to modify parts of the filesystem data currently served by apache, e.g. the user's personal web-space. Use POC from http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ to dump /proc/<pid>/maps. Direct read from /proc/<pid>/mem using range headers did not succeed on linux 3.0 kernel due to permission settings in proc, but might be useful to get apache memory, e.g. SSL-keys, on other architectures.

Ubuntu security was informed 20110625, reply:

========

httpd has never claimed (or attempted) to implement any security
restriction on following symlinks. This is mentioned in the current docs
for Options:

  http://httpd.apache.org/docs/2.2/mod/core.html#options

"symlink testing is subject to race conditions that make it circumventable"

You have some discussion in your document of the perspective. httpd's
support for running children as a less-privileged non-root user allows
admins to restrict the capabilities of those children. It is a
misconfiguration if the less-privileged user is allowed access to
privileged files; there is little httpd itself can to do prevent (or
detect) that situation.

Similarly, it is the admin's responsibility to consider what escalation
of privileges is possible by allowing less-trusted users to author
content.

=========

Still, it can be used to read /proc/<pid>/maps memory layout from remote, which might be handy, e.g. when exploiting the apache buffer overflow from https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422

Not flagged a security-issue, due to response from apache.org.
Public disclosure http://seclists.org/fulldisclosure/2011/Jun/488
Discussion if vulnerability on open-source-security http://seclists.org/oss-sec/2011/q3/68

# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10

# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
  Installed: 2.2.19-1ubuntu1
  Candidate: 2.2.19-1ubuntu1
  Version table:
 *** 2.2.19-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

Dave Walker (davewalker) on 2011-07-16
security vulnerability: no → yes
Changed in apache2 (Ubuntu):
importance: Undecided → High
Ursula Junque (ursinha) on 2011-07-18
tags: added: server
Stefan Fritsch (sf-sfritsch) wrote :

This is an unsupported use-case of Apache httpd and I am pretty sure it won't be changed upstream. And I don't think Ubuntu or Debian should deviate from that, see http://seclists.org/oss-sec/2011/q3/111

Changed in apache2 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers