Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Tue, 15 Mar 2011 09:21:18 -0700 

Package: php5-common
Version: 5.3.5-1
Severity: normal


/etc/cron.d/php5 has:
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d 
/var/lib/php5 ] && find /var/lib/php5/ -type f -cmin 
+$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

$ ls -dl /var/lib/php5
drwx-wx-wt 2 root root 4096 Mar 15 15:40 /var/lib/php5/

That basically allows anyone to  have root  remove any file on
the file system.

For instance, by creating a:

/var/lib/php5/foo/passwd file, and then a million files in
/var/lib/php5/bar a few minutes later

when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
not the ones in /var/lib/php5/bar, assuming foo appears before
bar, find will output /var/lib/php5/foo/passwd and then spend a
few minutes in /var/lib/php5/bar during which the attacker can
replace his /var/lib/php5/foo directory with a symlink to /etc.
Then xargs will remove /etc/passwd.

Some work arounds:
- do not descend into subdirectories
  find /var/lib/php5/. ! -name . -prune -type f -cmin 
+"$(/usr/lib/php5/maxlifetime)" -exec rm -f {} +
  (note the POSIX syntax instead of the non-standard GNU one)
- Or use non-standard find options -execdir or -delete.
  find /var/lib/php5/ -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -delete
  or:
  find /var/lib/php5/ -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -execdir rm 
-f {} \;

See info -n 'Security Considerations' -f find
for details

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-common depends on:
ii  libc6                         2.11.2-13  Embedded GNU C Library: Shared lib
ii  sed                           4.2.1-9    The GNU sed stream editor

Versions of packages php5-common recommends:
ii  php5-suhosin                  0.9.32.1-1 advanced protection module for php

php5-common suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to