LiteSpeed Web Server - Privilege Escalation Vulnerability (R911-0084)
Type: Privilege Escalation
Product: LiteSpeed Web Server
Vulnerable Version: 4.2.4
Fixed Version: 4.2.5
LiteSpeed Web Server (LSWS) is a high-performance Apache drop-in replacement. LSWS is the 4th most popular web server on the internet and the #1 commercial web server. Upgrading your web server to LiteSpeed Web Server will improve your performance and lower operating costs.
A privilege escalation is possible with LiteSpeed Web Server due to a poor choice of using /tmp to store Process ID information. When the web server is configured to run PHP without suEXEC, an attacker is able to write to the /tmp/lshttpd directory and use a carefully crafted exploit to obtain root access.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.
This vulnerability was tested against LiteSpeed Web Server v4.2.4 and is believed to exist in all prior versions.
This vulnerability was patched in LiteSpeed Web Server v4.2.5.