Re: Another flaw in Apache?

From: Michal Zalewski (lcamtufat_private)
Date: Sun Jun 23 2002 - 09:17:14 PDT

  • Next message: bad bob: "Re: spying (deleted) file entries in other users' directories"

    On Sun, 23 Jun 2002, Filipe Almeida wrote:
    
    > You can kill the httpd childs but you can't ptrace them because the
    > processes are not dumpable.
    
    Yes. The point is, if you can send requests that will cause an overflow in
    every single child running - and you can - you could effectively force all
    of them to do what you want - e.g. send spoofed data to clients, saying,
    for example, "This site is 0wned". Or something more subtle. Hijacking of
    http session certainly isn't a minor issue for sites with, say, paid
    services. My best guess would be that providers of paid web space access
    (with .htaccess files enabled) would have some serious problems,
    especially if they also have commercial customers.
    
    Some time ago, I published a funny vulnerability in Sendmail (-bD option +
    SIGHUP). It wouldn't give you root, but it would give you the listening
    socket binded to port 25. Go figure. This allows, for example, transparent
    mail sniffing, and is effectively a service compromise. With Apache,
    that'd be the same, except that in the age of e-commerce and web
    authentication, "owned" Apache daemon will more likely lead to trouble
    other than just privacy compromise.
    
    -- 
    _____________________________________________________
    Michal Zalewski [lcamtufat_private] [security]
    [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    =-=> Did you know that clones never use mirrors? <=-=
              http://lcamtuf.coredump.cx/photo/
    



    This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 18:35:05 PDT