suexec mod_ruid2 before 0.9.8 privilege escalation

2013-03-22 / 2013-03-23
Credit: John Lightsey
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2013-1889
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

mod_ruid2 is a suexec style module for apache 2.0, 2.2 and 2.4, based on mod_ruid and mod_suid2 that allows the Apache webserver to run under the UID and GID of the user account that controls a virtualhost. It also includes functionality to chroot Apache into the virtualhost document root prior to processing HTTP requests. After processing each request, mod_ruid2 returns to its initial starting state. For uid/gid changes this is done using linux capabilities. For chroot, this is done by following a file descriptor that leads outside of the chroot. In versions of mod_ruid2 before 0.9.8, the filedescriptor used to break out of the chroot is inherited by all Apache subprocesses. This allows CGI scripts to also to break out of the chroot by performing a fchdir() across the inherited file descriptor. http://sourceforge.net/mailarchive/forum.php?thread_name=514C503E.4020109%40users.sourceforge.net&forum_name=mod-ruid-announce

References:

http://sourceforge.net/mailarchive/forum.php?thread_name=514C503E.4020109%40users.sourceforge.net&forum_name=mod-ruid-announce
http://seclists.org/oss-sec/2013/q1/718
https://github.com/mind04/mod-ruid2/commit/1fed9dda70cd44d54301df19730a29ae0989e0a2


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top