Home page logo

oss-sec logo oss-sec mailing list archives

Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE?
From: Stefan Fritsch <sf () sfritsch de>
Date: Sat, 16 Jul 2011 21:35:20 +0200

On Saturday 16 July 2011, halfdog wrote:
Understood. I've looked at the issue more closely and found a
similar DOS-exploitable timerace and a buffer overwrite unrelated
to this. Just for study, I'm currently trying to combine 3
timeraces + buffer overwrite + ROP to get code execution. Since
apache will quite likely fix the other two issues, they have to
touch the code anyway, so the symlink issue might be historic soon

I don't think the race conditions can be fixed without openat, which 
is available in Linux since 2.6.16 and is not available in many other 
flavours of UNIX. Currently, it is clear that your issue only concerns 
an un-supported use case of Apache httpd. IMHO it would not be wise to 
change httpd to support this use case on recent Linux but not on other 

And if you have a setup where the races are a problem, you can fix it 
outside of httpd. E.g. configure your FTP-server to deny creating of 
symlinks or configure SELinux/Apparmor/... accordingly.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]