Network-assessment

Apache, the top web server platform the Internet as a critical vulnerability which is recently patched by Apache Foundation. Everyone that Apache needs to immediately install the patched version of Apache in order to close the vulnerability which is now known as CVE-2019-0211. As per the report affected versions range from 2.4.17 to 2.4.38, the patched version is 2.4.39 or newer. The critical vulnerability involved the capability of receiving a privilege access from a parent process, even if the child process is designed as less privileged.

To lessen complexity requirement and hassle many web administrators run their httpd daemon (the heart of Apache server) as root. Any malicious user can inject a malicious script in the affected Apache server and escalate the access privilege for the script, hence executing whatever command it contains, including giving higher privilege for other process launched from the script.

The exploitation is a four step process: 1. Obtain R/W access on a worker process 2. Write a fake prefork_child_bucket structure in the SHM 3. Make all_buckets[bucket] point to the structure 4. Await 6:25AM to get an arbitrary function call. Advantages: – The main process never exits, so we know where everything is mapped by reading /proc/self/maps (ASLR/PIE useless) – When a worker dies (or segfaults), it is automatically restarted by the main process, so there is no risk of DOSing Apache. Problems: – PHP does not allow to read/write /proc/self/mem, which blocks us from simply editing the SHM – all_buckets is reallocated after a graceful restart (!),” explained Charles Fol, Security Engineer at Ambionics.

The most vulnerable installations are Apache instances that are in a shared hosting setup. However, it does not mean that discrete yet vulnerable Apache version installations are immune from CVE-2019-0211. With instructions to escalate privilege inside the script file, it creates a loophole for the attacker to completely gain root access.

Different Apache servers have different number of workers. Having more workers mean we can spray the address of our mutex over less memory, but it also means we can specify more index for all_buckets. This means that having more workers improves our success rate. After a few tries on my test Apache server of 4 workers (default), I had ~80% success rate. The success rate jumps to ~100% with more workers. Again, if the exploit fails, it can be restarted the next day as Apache will still restart properly. Apache’s error.log will nevertheless contain notifications about its workers segfaulting,” concluded Fol.

As Apache is an open source project, updates are already available for all platforms where it is supported. The Linux, Unix, Windows and MacOS patched versions are mandatory updates in order to stop the exploitation of the vulnerability.

Related Resources :

SHAREit App’s Vulnerability, Publicly Disclosed

Twitter Vulnerability that Allows to Tweet on Other People’s Behalf

Post a comment