Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Apache scoreboard invalid free on shutdown in master process
From: halfdog <me () halfdog net>
Date: Thu, 12 Jan 2012 11:33:32 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Modification of apache scoreboard data, shared by root (uid=0) and
www-data process, allows triggering of invalid free in root process
during apache shutdown, exploitation seems impossible except for really
broken chroot configs.

The free is triggered by setting the scoreboard type from
shared-mem-type to malloc-type. This is possible because the
scoreboard type setting is also stored in shared memory and hence
changeable by lower-privileged worker process.

See
http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8Ow4EACgkQxFmThv7tq+7NHgCeJ3AUOs4UHZMfQDm5C61NwEek
szkAoIy/vgYHRBgHQPygbGK6De+Yjxi0
=CYqA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Apache scoreboard invalid free on shutdown in master process halfdog (Jan 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault