Apache 2.x leaked descriptors

Hello,

I noticed a problem with apache 2.x back in October and contacted the apache security team with the problem. They've had about 4 months to do something with the problem but haven't seen fit to fix it yet. The last time I tried to status their progress no one replied to my query.

I was playing around with env_audit studying various properties of environments created for child processes. (Study is here - http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I noticed that apache 2.x leaks 2 open descriptors for each website on a machine and the main access & error log for the daemon. These open descriptors go to the access and error log of each website.

It appears that every cgi environment has this problem. For example put this in a .shtml file:

<!--#exec cmd="ls -l /proc/$$/fd" -->

and open the page with your browser. (I know you can do much worse with #exec commands, but this illustrates these descriptors are *open* for business in a very common module.) If anyone has the ability to use a language on the server that can issues commands to an open descriptor, there are many things that could happen.

Sandboxes & Jails might not help unless they stat every descriptor between 3 & OPENMAX-1 and close it. These descriptors are inherited open.

It is normal practice for webhosting companies to put multiple clients on the same machine. What kind of scripting capabilities they give you, if any, varies. If they give you *any* scripting capabilities and the machine runs apache 2.x, then cgi-bin programs can possibly: poison the logs of other sites on the same machine, place malicious content for log analysis programs, delete access log via ftruncate, see what pages or cgi-bins are being accessed on neighboring sites, or read anything dumped into error logs of neighboring websites.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This could be a real problem when you consider the weblog analizers that read the access files. In the past, there have been vulnerable versions of these programs. It would appear that its possible to put bad entries in the logs that would affect the vulnerable log analizers.

I also looked at PHP, <http://bugs.php.net/bug.php?id=20302>, and found that it also leaks an open descriptor to the script being executed. This presents the opportunity to overwrite/modify a script being executed or even deleting the script.

There are so many apache modules that I'm sure there are more problems than what I listed in my report. Apache 1.3.27 is fine. The problems are only in 2.x which is what ships on Red Hat 8.0. Red Hat 8.0 does not ship an older version of apache. The env_audit program has been around for a couple of years, so I assume anyone with some curiosity & motivation already knows everything in the report or what I just mentioned.

So, are there any possibilitiies with this problem?

-Steve Grubb Received on Fri Feb 21 15:17:22 2003