hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Information leak in apache CGI implementation
Reply

Forum Jump

Information leak in apache CGI implementation

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 03-09-2001, 05:14 AM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
Ok, this is *very* obscure, but could, just possibly, be leveraged by an attacker.

When called by cgi scripts, getlogin() returns the login name associated with the shell which started apache.

Normally if apache is started at runtime or restarted via cron, this will just return "root". However, if an administrator logs in as themselves, uses su to become root, and then restarts apache, anyone who can create and run cgi scripts on the server can find out the login name of a user who knows the root password.

Of course, on default installation of most operating systems you could get that same information by grepping /var/log/messages, so this is hardly a big security hole. But it is still an information leak, and on an extremely secure system it could be used by an attacker to determine which account he should try to break into to use as a stepping stone to root.

What do people think... is this worth pointing out to the apache people?



Sponsored Links
  #2  
Old 03-09-2001, 04:37 PM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Quote:
Originally posted by cperciva
Ok, this is *very* obscure, but could, just possibly, be leveraged by an attacker.

When called by cgi scripts, getlogin() returns the login name associated with the shell which started apache.

Normally if apache is started at runtime or restarted via cron, this will just return "root". However, if an administrator logs in as themselves, uses su to become root, and then restarts apache, anyone who can create and run cgi scripts on the server can find out the login name of a user who knows the root password.

Of course, on default installation of most operating systems you could get that same information by grepping /var/log/messages, so this is hardly a big security hole. But it is still an information leak, and on an extremely secure system it could be used by an attacker to determine which account he should try to break into to use as a stepping stone to root.

What do people think... is this worth pointing out to the apache people?
Well, this isn't really an issue. There's other ways to get that information. Basically, most systems allow any user to su to root, so it wouldn't matter what account you used (and if you had an account that you were able to use that function call, you already have an account on the system). Anyway, if you do have an account, you can try to su to root, unless it's configured to only allow people in the wheel group to su. If that's the case, and since you have an account on the system, you can simply look in the /etc/group file and see who's in the wheel group and allowed to su. Finally, most systems don't allow the average user to view the contents of /var/log/messages anyway. Of course, any information about a privileged account is best to be avoided. Anyway, getlogin() isn't a memory leak issue, and it only shows the current login in utmp.

[Edited by Tim_Greer on 03-09-2001 at 06:43 PM]

  #3  
Old 03-09-2001, 07:23 PM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
The issue isn't finding an account from which you can su to root -- as you point out, that is trivially done by looking at /etc/group. (Although I'm not sure if that is always world readable... anyone know for certain?)

The issue is that this allows someone with cgi priviledges to find out who knows the root password. In that regard this is as much as security hole as logging in directly as root is: It lets the outside world know that you know the root password whereas using su doesn't (shouldn't) reveal that to the world.

Sponsored Links
  #4  
Old 03-09-2001, 07:43 PM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
First of all, I made a typo earlier, I meant "utmp", not "wtmp" in my last post. (I.e., /etc/utmp)... whereas this function simply grabs the current login, if any. It should and can do matching to ensure it's the user that's running the call too though, to prevent other information.

Likely, people can just find out by typing "last" and seeing who logged in as root. I guess I didn't fully understand what you were saying before, but if you have access on a system and the su command is limited to only certain users, then those are the user's that know the password. Knowing whom knows the password though, isn't an issue. That doesn't help you to find out what the password is, it's a matter of finding out who can use the password and command.

The only advantage to a system cracker, would be to know which specific accounts have the easiest access to the su command or aren't denied access. If you have access to a system that you can use the getlogin() function, then you have access to immediately see who logs in as root, even if they weren't the last person that logged in. If you (and you can) deny people that have accounts on the system from seeing the login's, etc. then that will deny the getlogin() function from displaying what you speak of anyway, since it grabs the information from utmp. If it doesn't have permission, you're safe from that revealing that information either way. Of course, that'd likely be in combination of other controlled things and denials of other commands too, to make any difference. But yes, the /etc/group file is alomost always readable by everyone on the system. The thing is, this isn't really an issue anymore than anything else, since you can have a CGI script to system calls that specifically run "last", "ps", "finger", etc.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Savvis Launches Managed Suite of Big Data Services Web Hosting News 2013-10-22 12:54:22
Apache Market Share Falls in Netcraft October Web Server Survey Web Hosting News 2013-10-04 14:34:11
Researchers Urge System Admins to Check for New Apache Web Server Backdoor Malware Web Hosting News 2013-05-01 11:35:53
DigitalOcean Rolls Out Fix for Virtual Server Data Leak Web Hosting News 2013-04-03 10:48:56
LinkedIn Confirms Password Leak, Sophos Says 60 Percent Decrypted Web Hosting News 2012-06-08 10:56:39


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?