Apache::Gallery Privilege Escalation

2003-09-09T10:22:51
ID OSVDB:2149
Type osvdb
Reporter OSVDB
Modified 2003-09-09T10:22:51

Description

Vulnerability Description

Apache::Gallery contains a flaw when using Inline C as it stores shared libraries in an insecure manner. It is possible for an attacker to link malicious code into the Apache process. The libraries have to be replaced before the Apache process is started, however, it could lead to a local user escalating privileges.

Technical Description

The vulnerability is caused due to the program creating shared libraries insecurely in a temporary directory (often "/tmp"). This can be exploited by using a symlink attack or by placing a specially crafted shared library in the directory. This will cause the library to be loaded and executed with the privileges of the web services.

Solution Description

Upgrade to Apache::Gallery 0.7 which addresses this issue by removing the use of Inline::C. Users are advised to upgrade as soon as possible.

If unable to upgrade as a temporary workaround the following modification has been suggested:

use Inline (C => Config => LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext', INC => '-I/usr/X11R6/include', UNTAINT => 1, DIRECTORY => "/some/path/" );

Where /some/path is a path that only the uid of gallery has access to, such as $apacheroot/gallery/Inline.

Short Description

Apache::Gallery contains a flaw when using Inline C as it stores shared libraries in an insecure manner. It is possible for an attacker to link malicious code into the Apache process. The libraries have to be replaced before the Apache process is started, however, it could lead to a local user escalating privileges.

References:

Vendor URL: http://apachegallery.dk/ Secunia Advisory ID:9700 Generic Informational URL: http://www.securityfocus.com/archive/1/336583 Bugtraq ID: 8561