Public bug reported: Apache 2.2.19 worker contains a TOCTOU problem when -FollowSymlinks is configured, causing it to follow the link to any location. This does only occur when a user other than www-data is allowed to modify parts of the filesystem data currently served by apache, e.g. the user's personal web-space. Use POC from http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ to dump /proc/<pid>/maps. Direct read from /proc/<pid>/mem using range headers did not succeed on linux 3.0 kernel due to permission settings in proc, but might be useful to get apache memory, e.g. SSL-keys, on other architectures.
Ubuntu security was informed 20110625, reply: ======== httpd has never claimed (or attempted) to implement any security restriction on following symlinks. This is mentioned in the current docs for Options: http://httpd.apache.org/docs/2.2/mod/core.html#options "symlink testing is subject to race conditions that make it circumventable" You have some discussion in your document of the perspective. httpd's support for running children as a less-privileged non-root user allows admins to restrict the capabilities of those children. It is a misconfiguration if the less-privileged user is allowed access to privileged files; there is little httpd itself can to do prevent (or detect) that situation. Similarly, it is the admin's responsibility to consider what escalation of privileges is possible by allowing less-trusted users to author content. ========= Still, it can be used to read /proc/<pid>/maps memory layout from remote, which might be handy, e.g. when exploiting the apache buffer overflow from https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422 Not flagged a security-issue, due to response from apache.org. Public disclosure http://seclists.org/fulldisclosure/2011/Jun/488 Discussion if vulnerability on open-source-security http://seclists.org/oss-sec/2011/q3/68 # lsb_release -rd Description: Ubuntu oneiric (development branch) Release: 11.10 # apt-cache policy apache2-mpm-worker apache2-mpm-worker: Installed: 2.2.19-1ubuntu1 Candidate: 2.2.19-1ubuntu1 Version table: *** 2.2.19-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages 100 /var/lib/dpkg/status ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/811428 Title: Apache does not honor -FollowSymlinks due to TOCTOU, which allows access to /proc/<pid>/ files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811428/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
