This article is more than 1 year old
A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole
Rogue 'worker' processes can sneak in with elevated privileges at startup
Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability.
Designated CVE-2019-0211, the flaw allows a "worker" process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the targeted machine.
The bug was discovered by researcher Charles Fol of security shop Ambionics, who privately reported the issue to Apache. Admins can get the vulnerability sealed up by making sure their servers are updated to version 2.4.39 or later.
While elevation of privilege vulnerabilities are not generally considered particularly serious bugs (after all, you need to already be running code on the target machine, which is in and of itself a security compromise), the nature of Apache Server HTTP as a host machine means that this bug will almost always be exposed to some extent.
Fol told The Register that as HTTP servers are used for web hosting, multiple users will be given guest accounts on each machine. In the wild, this means the attacker could simply sign up for an account to have their site hosted on the target server.
"The web hoster has total access to the server through the 'root' account," Fol explained.
"If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster. This implies read/write/delete any file/database of the other clients."
LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn'tREAD MORE
Fol says that the vulnerability is triggered when the host server performs its daily restart routine, usually at 0625. During the restart process, the worker modules are shut down and then restarted. During that time, a small window is opened to allow the elevation of privilege to take place.
"No bound checks happen," Fol explained. "Therefore, a rogue worker can change its bucket index and make it point to the shared memory, in order to control the
prefork_child_bucket structure upon restart. Eventually, and before privileges are dropped,
mutex->meth->child_init() is called. This results in an arbitrary function call as root."
Fol noted that while his own tests yielded about an 80 per cent success rate, increasing the number of worker processes could raise that close to 100 per cent and, even if the first attempt at an exploit fails, the attack can be retried anew every morning when the restart process runs.
The researcher plans to post exploit code for the bug at a later date, so get patching now. ®