[Full-disclosure] Local user to root escalation in apache 1.3.34 (Debian only)

[hijacker at oldum.net (Nikolay Kichukov)]

Lool,
how long has this bug been around?

Sounds scary.

-nik

On Mon, February 26, 2007 8:11 pm, Richard Thrippleton wrote:
> Version 1.3.34-4 of Apache in the Debian Linux distribution contains a
> hole that allows a local user to access a root shell if the webserver has
> been restarted manually. This bug does not exist in the upstream apache
> distribution, and was patched in specifically by the Debian distribution.
> The
> bug report is located at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357561 . At the time of
> writing (over a month since the root hole was clarified), there has been
> no official acknowledgement. It is believed that most of the developers
> are tied up in more urgent work, getting the TI-86 distribution of Debian
> building in time for release.
>
> Unlike every other daemon, apache does not abdicate its controlling tty
> on startup, and allows it to be inherited by a cgi script (for example, a
> local user's CGI executed using suexec). When apache is manually
> restarted, the inherited ctty is the stdin of the (presumably root) shell
> that invoked the new instance of apache. Any process is permitted to
> invoke the TIOCSTI ioctl on the fd corresponding to its ctty, which allows
> it to inject characters that appear to come from the terminal master.
> Thus, a user created CGI script can inject
> and have executed any input into the shell that spawned apache.
>
> As a Debian user, this concerns me greatly, as any non-privileged user
> would be able to install non-free documentation (GFDL) on any system I
> run.
>
> Richard
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>