LSS Security Advisory #LSS-2005-01-01
http://security.lss.hr
---
Title : Mod_dosevasive symlink and race vulnerability
Advisory ID : LSS-2005-01-4
Date : January 1th, 2005
Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01
Impact : Arbitrary file creation
Risk level : Low
Vulnerability type : Local
Vendors contacted : December 16th, 2004.
---
==[ Overview
>From mod_dosevasive's web site (http://www.nuclearelephant.com/projects/dosevasive/):
Mod_dosevasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack.
It is also designed to be a detection and network management tool, and can
be easily configured to talk to ipchains, firewalls, routers etc.
Mod_dosevasive presently reports abuses via email and syslog facilities.
==[ Vulnerability
When a denial of service attack is detected, mod_dosevasive will, among
other things, create a temporary file which it will use to trace actions
from the offensive IP address. This file is insecurely created in /tmp and
it's name is easily predictable.
The attacker knows exactly which name the file will have:
...
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
...
So, if the attack is coming from 127.0.0.1, mod_dosevasive will create
/tmp/dos-127.0.0.1 file.
1) Symlink attack
It is then easy for an attacker to create arbitrary files in any directory
that the user under which apache runs has privileges to write.
For example:
[bojanz@test bojanz]$ ls -ld /var/www
drwxr-xr-x 6 root root 4096 Nov 6 04:59 /var/www
[bojanz@good bojanz]$ cd /tmp
[bojanz@good tmp]$ ln -s /var/www/html/poc_file dos-127.0.0.1
[bojanz@good tmp]$ ls -l /var/www/html/poc_file
ls: /var/www/html/poc_file: No such file or directory
[bojanz@good tmp]$ perl ./dos.pl # this script performs a simple DoS attack
[bojanz@good tmp]$ ls -l /var/www/html/poc_file
-rw-r--r-- 1 apache apache 6 Dec 14 11:53 /var/www/html/poc_file
Mod_dosevasive will check if the target file exists and will not overwrite it,
so the vulnerability #1 just allows creation of arbitrary files in directories
that the user under which apache runs has privileges to write.
Files contain PID of the child process and the attacker can't modify them.
2) Race attack
However, once the target file is opened, there is a race attack (although
difficult to exploit) which can lead to mod_dosevasive overwriting any
file that the user under which apache runs has privileges to write.
>From the source:
...
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
/* Race vulnerability */
if (stat(filename, &s)) {
file = fopen(filename, "w");
...
===[ Affected versions
All available versions of mod_security are affected, including the latest
CVS version (1.9).
===[ Fix
Real fix would be to rewrite the code which opens the file, however, in
absence of that, easy and quick fix is to create a directory that only the
user under which apache runs has privileges to write and to use that
directory to create mod_dosevasive temporary files in.
In order to use a different directory, only one line in the source code has
to be changed:
snprintf(filename, sizeof(filename), "/tmp/dos-%s",
r->connection->remote_ip);
^^^^^
===[ PoC Exploit
No PoC required.
===[ Credits
This vulnerability was found by LSS Security Team.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775
