Mod_dosevasive symlink and race vulnerability

2005-01-13T00:00:00
ID SECURITYVULNS:DOC:7575
Type securityvulns
Reporter Securityvulns
Modified 2005-01-13T00:00:00

Description

                      LSS Security Advisory #LSS-2005-01-01

                           http://security.lss.hr

Title : Mod_dosevasive symlink and race vulnerability Advisory ID : LSS-2005-01-4 Date : January 1th, 2005 Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01 Impact : Arbitrary file creation Risk level : Low Vulnerability type : Local Vendors contacted : December 16th, 2004.


==[ Overview

>From mod_dosevasive's web site (http://www.nuclearelephant.com/projects/dosevasive/):

Mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers etc. Mod_dosevasive presently reports abuses via email and syslog facilities.

==[ Vulnerability

When a denial of service attack is detected, mod_dosevasive will, among other things, create a temporary file which it will use to trace actions from the offensive IP address. This file is insecurely created in /tmp and it's name is easily predictable.

The attacker knows exactly which name the file will have:

... snprintf(filename, sizeof(filename), "/tmp/dos-%s", r->connection->remote_ip); ...

So, if the attack is coming from 127.0.0.1, mod_dosevasive will create /tmp/dos-127.0.0.1 file.

1) Symlink attack

It is then easy for an attacker to create arbitrary files in any directory that the user under which apache runs has privileges to write. For example:

[bojanz@test bojanz]$ ls -ld /var/www drwxr-xr-x 6 root root 4096 Nov 6 04:59 /var/www [bojanz@good bojanz]$ cd /tmp [bojanz@good tmp]$ ln -s /var/www/html/poc_file dos-127.0.0.1 [bojanz@good tmp]$ ls -l /var/www/html/poc_file ls: /var/www/html/poc_file: No such file or directory [bojanz@good tmp]$ perl ./dos.pl # this script performs a simple DoS attack [bojanz@good tmp]$ ls -l /var/www/html/poc_file -rw-r--r-- 1 apache apache 6 Dec 14 11:53 /var/www/html/poc_file

Mod_dosevasive will check if the target file exists and will not overwrite it, so the vulnerability #1 just allows creation of arbitrary files in directories that the user under which apache runs has privileges to write. Files contain PID of the child process and the attacker can't modify them.

2) Race attack

However, once the target file is opened, there is a race attack (although difficult to exploit) which can lead to mod_dosevasive overwriting any file that the user under which apache runs has privileges to write.

>From the source:

... snprintf(filename, sizeof(filename), "/tmp/dos-%s", r->connection->remote_ip); / Race vulnerability / if (stat(filename, &s)) { file = fopen(filename, "w"); ...

===[ Affected versions

All available versions of mod_security are affected, including the latest CVS version (1.9).

===[ Fix

Real fix would be to rewrite the code which opens the file, however, in absence of that, easy and quick fix is to create a directory that only the user under which apache runs has privileges to write and to use that directory to create mod_dosevasive temporary files in. In order to use a different directory, only one line in the source code has to be changed:

snprintf(filename, sizeof(filename), "/tmp/dos-%s", r->connection->remote_ip); ^^^^^

===[ PoC Exploit

No PoC required.

===[ Credits

This vulnerability was found by LSS Security Team.

===[ LSS Security Contact

LSS Security Team, <eXposed by LSS>

WWW : http://security.lss.hr E-mail : security@LSS.hr Tel : +385 1 6129 775