Apache::Gallery local webserver compromise, privilege escalation
Greetings,
Apache::Gallery (http://apachegallery.dk) is a free and popular perl module
that, in combination with mod_perl and Apache, provides a powerful and
customizable web gallery of your photographs.
A::G unfortunately misuse Inline::C to created shared libraries. From the
Inline::C documentation:
"It is probably best to have a separate '.Inline/' directory for each
project that you are working on. You may want to
keep stable code in the <.Inline/> in your home directory. On
multi-user systems, each user should have their own '.Inline/'
directories. It could be a security risk to put the directory in a
shared place like "/tmp/"."
At line 27 in Gallery.pm, we see the following:
use Inline (C => Config =>
LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext',
INC => '-I/usr/X11R6/include',
UNTAINT => 1,
DIRECTORY =>
File::Spec->tmpdir()
);
File::Spec->tmpdir() returns the first writable temporary directory. On
most UNIX platforms, this will return /tmp or $ENV{TMPDIR}, which is almost
always world writable.
Once this directory is found, a series of predictable filenames and
directories are created. On my test systems, this was always:
$ ls /tmp/lib/auto/Apache/Gallery_4033
Gallery_4033.bs Gallery_4033.inl Gallery_4033.so
Since /tmp is world writable, if we can inject the proper files into
/tmp/lib/auto/Apache/Gallery_4033 before the Apache process does, we can
get it to load our own malicious shared libraries.
The one thing that makes this attack difficult is that you'll likely need
to get /tmp/lib cleared first. However, this directory will likely get
cleared on reboot, so a malicious local attacker need only wait until that
time. What results is a privilege escalation attack to the uid of the user
running the webserver, which is typically apache/www/nobody or a normal
user if suEXEC or something like cgiwrap is in use.
You can find a sample exploit at:
http://spoofed.org/files/Gallery_4033.c
Thanks to Michael Legart, Andreas Plesner and the rest of the
Apache::Gallery team for a prompt response and fix. You can get the latest
version of Apache::Gallery which fixes this problem by removing Inline::C
at:
http://svn.apachegallery.dk/snapshots/
-jon