Apache httpd suexec Multiple Vulnerabilities

iDefense Security Advisory XX.XX.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
MMM DD, 2005

I. BACKGROUND

The suexec binary is a helper application which is part of the Apache 
HTTP server package, and is designed to allow a script to run with the 
privileges of the owner of the script, instead of with the privileges of 
the server. More information about the suexec utility can be found at 
the following link:

        http://httpd.apache.org/docs/2.0/suexec.html

II. DESCRIPTION


Scripts run by an HTTP server generally run with the same permissions as 
the server. Exploitation of one virtual host on a server may lead to all 
the hosts being compromised. In order to reduce the likelihood that a 
bug or malicious code in one virtual host will be able to affect other 
virtual hosts, the suexec utility allows scripts to run as the owner of 
the script instead. The suexec binary is only able to be executed by the 
same user as the httpd, typically user 'httpd', 'apache' or 'nobody'. 
This means that exploitation of the vulnerability has a prerequisite of 
obtaining access to the affected system as this user. The binary also 
limits the users it will execute code as to those which have user and 
group IDs greater than or equal to AP_UID_MIN and AP_GID_MIN values 
respectively. These values are compiled into the executable.

Multiple vulnerabilities exist in this application which, when combined, 
can allow execution of code as an almost arbitrary user and group.

1) Path Checking Race Condition Vulnerability

Local exploitation of a race condition in path validation of in multiple 
versions of The Apache Foundation's suexec utility could allow an 
attacker to execute arbitrary code as another user. 

Race conditions occur between the getcwd(cwd) at line #477 and 
chdir(cwd) (at lines #485 and #494) and between a chdir(cwd) at lines 
#486 and #494 and a lstat(cwd) at line #508. The directory structure may 
change between each of these operations, which can lead to the lstat() 
being performed on an arbitrary directory chosen by an attacker. These 
may be exploited with by renaming a parent directory, or by using 
symlinks.

A third race condition occurs between the lstat(cmd) at line #524 and 
execv() at line #606. The directory structure may change between these 
calls, rendering ineffectrive the lstat().

2)  Path Checking Design Error Vulnerability 

At line #500 of the suexec utility, a strncmp() is used to check whether 
the current directory is a subdirectory of the document root directory. 
This check will succeed in situations where there exists a directory 
which begins with the same sequence, but contains extra content. For 
example, if the document root is "/var/www/html", the test will also 
succeed for "/var/www/html_backup" and "/var/www/htmleditor". A correct 
test would also perform a check that the next character is a trailing 
null-terminator or directory separator.

The check performed at line #524 does not verify whether a path to the 
CGI script (cmd) is a regular file or not. If the path is pointing at a 
subdirectory owned by the appropriate user and group of a directory 
owned by the appropriate user and group, it will be accepted as a valid 
path to be executed (provided all other checks succeed).

3) Arbitrary GID Input Validation  Vulnerability

Due to a design error, the suexec binary permits any combination of 
user/group values taken from command line parameters even if the user is 
not a member of the specified group. This may be exploited in 
combination with other vulnerabilities if the /proc filesystem is 
mounted. Each time suexec drops its privileges and changes its UID and 
GID, all files and directories under /proc/{PID} change their owner to 
the corresponding values. As the suexec process changes its UID and GID 
unconditionally, creating arbitrary UID and GID owned files is trivial 
(the only limitation is that these values must be greater or equal to 
AP_UID_MIN and AP_GID_MIN).

III. ANALYSIS

Successful exploitations of these vulnerabilities would allow a local 
attacker to execute arbitrary code from an another user. In order to 
exploit this vulnerability, the user must already have access to the 
suexec binary, which is restricted to the user the httpd runs as, in 
order to execute code. It may be possible to gain access to this user by 
exploiting a CGI program, PHP script or other program on the server. 
These factors, in combination with the restricted range of UID and GIDs 
that can be requested, mitigates to some degree the seventy of the 
vulnerability. 

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the suexec 
binary distributed with the version 2.0.54 of the Apache httpd in Red 
Hat Inc.'s Fedora Core 4. This distribution is not vulnerable in the 
default configuration, as exploitation requires additional, but common, 
configuration changes to be made to the system.

It is suspected that all previous versions of suexec are vulnerable, 
including the 1.3.x versions.

V. WORKAROUND

If the suexec binary is not required for normal operation, remove the 
setuid bit from the file.

Execute the following command as root:

#chmod -s /path/to/suexec

Replacing '/path/to/suexec' with the actual path to the suexec binary.

VI. VENDOR RESPONSE

[Quoted vendor response if available. Otherwise include vendor fix
details.]

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-XXXX to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

[OR]

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

XX/XX/2006  Initial vendor notification
XX/XX/2006  Initial vendor response
XX/XX/2006  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.