вторник, 5 марта 2013 г.

Analysis of CVE-2013-1048

Today we were very surprised by vulnerability CVE-2013-1048 in Apache web-server. This issue was described in Debian Security Advisory DSA-2637-1 by following notes:

Hayawardh Vijayakumar noticed that the apache2ctl script created the lock directory in an unsafe manner, allowing a local attacker to gain elevated privileges via a symlink attack. This is a Debian specific issue.
First looks at last line of quote - only Debian systems were affected.

Lets try to analyse patch for this bug:


As you can see, install command was replaced to mkdir_chown function which contains many security checks.

Lets try to understand what happens where "install -d -o www-data /var/lock/apache" called.

This command creates directory /var/lock/apache and that set chown www-data to this directory.

But if this directory was already created as a symlink to another directory (/var/lock have a+w privileges), install command change privileges to this directory. Simplest exploitation way is create directory /var/lock/apache as a symlink to /etc/ directory and than delete /etc/shadow file and recreate it with yourself content under www-data user privileges.

5 комментариев:

  1. The standard span of these credits is only fourteen days and such advances are taken to meet costs till the following payday.
    Check Cashing San-diego

    ОтветитьУдалить
  2. In the greater part of the cases, the payback plan is settled by the following due payday of the candidate.Cash Advance Chicago

    ОтветитьУдалить
  3. To the extent the reimbursement is concerned, the borrower require just present a post dated check to the moneylender at the season of credit endorsement.
    Check Cashing

    ОтветитьУдалить
  4. When it comes time to pay your duties, you require that cash now, since Uncle Sam isn't the sort to take pardons.
    Auto Title Loans Chicago

    ОтветитьУдалить
  5. Ensure that you settle your advance manage a dependable loan specialist.
    Check Cashing

    ОтветитьУдалить