httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [Fwd: iDefense Final Notice [IDEF1445]]
Date Wed, 28 Mar 2007 21:46:49 GMT
William A. Rowe, Jr. wrote:
> dev@ feedback and analysis of the specifics in the report (w.r.t. 1.3,
> 2.0, and/or 2.2).

<quote>
At line #500 of the suexec utility, a strncmp() is used to check whether
the current directory is a subdirectory of the document root directory.
This check will succeed in situations where there exists a directory
which begins with the same sequence, but contains extra content. For
example, if the document root is "/var/www/html", the test will also
succeed for "/var/www/html_backup" and "/var/www/htmleditor". A correct
test would also perform a check that the next character is a trailing
null-terminator or directory separator.
 </quote>

FWIW, it's manditory in any mass vhost scenario that the directories above
the varying userspaces would be owned by root (or privilaged role user).
Similar to the ownership of / and /home.  It would be best-practice not
to suexec-enable the entire web space but a specific cgi directory within
the userspace.  Ergo...

1. root assigns the 'similar names' cited above moving from host-to-host.
   Ergo the possibility of /webs/joe being able to exploit this against
   /webs/joe2 are relatively remote.

2. given that ownership is conveyed to /webs/joe/cgi-bin/ distinct from
   /webs/joe2/cgi-bin - the path length escape is relatively difficult
   in a sane layout to exploit.

All of this relates to the issue 1. in the report, of course, in that
the ownership of those parent directories is incredibly important to
prevent such exploits, and this is universally accepted as a best
practice to create less-restrictive directories down the directory
tree, and never leave a higher level parent directory with more open
permissions.

That said, this issue deserves attention.

<quote>
The check performed at line #524 does not verify whether a path to the
CGI script (cmd) is a regular file or not. If the path is pointing at a
subdirectory owned by the appropriate user and group of a directory
owned by the appropriate user and group, it will be accepted as a valid
path to be executed (provided all other checks succeed).
</quote>

If a directory, it's not executable.  Difficult to see an exploit here.

But another edge case to address.

Mime
View raw message