Today we were very surprised by vulnerability CVE-2013-1048 in Apache web-server. This issue was described in Debian Security Advisory DSA-2637-1 by following notes:
Lets try to analyse patch for this bug:
![]()
As you can see, install command was replaced to mkdir_chown function which contains many security checks.
Lets try to understand what happens where "install -d -o www-data /var/lock/apache" called.
This command creates directory /var/lock/apache and that set chown www-data to this directory.
But if this directory was already created as a symlink to another directory (/var/lock have a+w privileges), install command change privileges to this directory. Simplest exploitation way is create directory /var/lock/apache as a symlink to /etc/ directory and than delete /etc/shadow file and recreate it with yourself content under www-data user privileges.
Hayawardh Vijayakumar noticed that the apache2ctl script created the lock directory in an unsafe manner, allowing a local attacker to gain elevated privileges via a symlink attack. This is a Debian specific issue.First looks at last line of quote - only Debian systems were affected.
Lets try to analyse patch for this bug:
As you can see, install command was replaced to mkdir_chown function which contains many security checks.
Lets try to understand what happens where "install -d -o www-data /var/lock/apache" called.
This command creates directory /var/lock/apache and that set chown www-data to this directory.
But if this directory was already created as a symlink to another directory (/var/lock have a+w privileges), install command change privileges to this directory. Simplest exploitation way is create directory /var/lock/apache as a symlink to /etc/ directory and than delete /etc/shadow file and recreate it with yourself content under www-data user privileges.