A serious vulnerability has been sitting unnoticed in the highly popular Apache HTTP Server for nearly four years, a bug that can grant root access to lower-privileged processes under some conditions.
The vulnerability was introduced in Apache 2.4.17, which was released in October 2015, and it affects the Apache server running on Unix-based systems. Security researcher Charles Fol discovered the vulnerability in the Apache Multi-Processing Modules (MPM) event, worker, and prefork. Exploiting the flaw would give an attacker root privileges on the target server, but exploitation requires local access. Versions 2.4.17 through 2.4.38 are affected.
"This privilege escalation bug is especially problematic for hosting providers that still offer “shared web hosting” plans where a site is running alongside other ones, all of them sharing the same parent Apache server. Even if a vulnerable Apache server is running on its own, this flaw could be used in combination with other attack methods to execute code at a higher privilege level," Bob Rudis of Rapid7 said in an analysis of the flaw.
Fol published a detailed analysis of how the vulnerability affects the MPM prefork, and also has developed an exploit, though that hasn’t been made public.
“In MPM prefork, the main server process, running as root, manages a pool of single-threaded, low-privilege (www-data) worker processes, meant to handle HTTP requests. In order to get feedback from its workers, Apache maintains a shared-memory area (SHM), scoreboard, which contains various information such as the workers PIDs and the last request they handled. Each worker is meant to maintain a process_score structure associated with its PID, and has full read/write access to the SHM,” he said
“When Apache gracefully restarts, its main process kills old workers and replaces them by new ones. At this point, every old worker's bucket value will be used by the main process to access an array of his, all_buckets. No bound checks happen. Therefore, a rogue worker can change its bucket index and make it point to the shared memory, in order to control the prefork_child_bucket structure upon restart. Eventually, and before privileges are dropped, mutex->meth->child_init() is called. This results in an arbitrary function call as root.”
Apache holds a large chunk of the web server market, so serious vulnerabilities in the software often command quite a bit of attention from both attackers and defenders. The Apache Software Foundation has released an updated version of the server to fix the vulnerability, version 2.4.39. That release also patches several other vulnerabilities, but the one that Fol discovered is the most serious of the lot.
“Flaw in Apache HTTP Server 2.4.17 - 2.4.38 allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 now especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw),” Mark Cox, an Apache maintainer, said on Twitter.
The proof-of-concept exploit that Fol developed for the MPM vulnerability will trigger once each day when the web server restarts.
“Different Apache servers have different number of workers. Having more workers mean we can spray the address of our mutex over less memory, but it also means we can specify more index for all_buckets. This means that having more workers improves our success rate. After a few tries on my test Apache server of 4 workers (default), I had ~80% success rate. The success rate jumps to ~100% with more workers. Again, if the exploit fails, it can be restarted the next day as Apache will still restart properly,” Fol said.
CC By-SA 2.0 image from Ethen Rera.