httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Jacobs <ejac...@bluehost.com>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Tue, 05 Mar 2013 23:12:42 GMT
On 03/04/2013 09:25 AM, Jason Staburn wrote:
>> If you would like more information on the exploit itself, please let me
>> know. I have a proof of concept that is able to hit the exploit with
>> 100% success.
>
> I'm trying to test this patch and would love to know how you're able to duplicate this
on-demand.
>

My proof of concept is attached to this email, but this exploit shows up 
in the wild all the time. I've seen numerous php and perl based exploits 
pop up via script kiddie injections. This PoC is just something I threw 
together in a few minutes.

You'll need to update the paths to the files in main() to suit your 
environment. If you're having a hard time hitting the race condition, 
try tuning tim.tv_nsec in tsleep().

Finally, this exploit works two ways:
1) symlinking directly to your target file.
2) symlinking to a directory containing the target file.

The patch I published a few months ago fixes both vectors.


-- 
Eric Jacobs
Junior Systems Administrator
Bluehost.com

Mime
View raw message