Apache Web Server Bug Grants Root Access On Shared Hosting Environments (zdnet.com)
An anonymous reader quotes a report from ZDNet: This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39. According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process. Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.
"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."
"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."
Yeah, my DAMN balls
They want their technology stack back...
Phew, good thing this is only a problem on shared hosting environments. ðY'
Well, on Ubuntu and derivatives, Apache does not run as root. It runs as the user www-data.
So this applies to some Unix/Linux systems, not "most".
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
You fucked it up again.
Not everyone is using nginx nowadays?
Slashdot, fix the reply notifications... You won't get away with it...
I've never seen apache running as root.
I guess working at data center for the last decade doesn't make me any kind of expert or anything though.
Anybody running Apache these days is running Apache as its own user ("www" or "apache" depending upon your flavor of Unix). So this really is not an issue with 99% of most web servers. If you're running Apache as root, you're an idiot.
Since anyone can modify source code of open source software, is it really hard to guess that, all commonly used open source software, must be full of intentionally created SUPERBUGS, to be used as secret backdoors???
> Does anyone run Unix these days?
Yes, Mac is Unix. Not Unix-like, but actual UNIX (tm).
BSD (Berkeley Standard Distribution) used to be called Berkeley UNIX. It *was* UNIX, and the Unix hasn't been entirely removed. Some of the original Unix code was oown source and FreeBSD was built with that open source portion of Unix at it's core. Since then, UNIX and the BSDs have evolved separately, of course.
Solaris is real UNIX.
So yeah, all those MacBooks are running UNIX. It's pretty handy to have a UNIX that is approved and supported by corporate IT departments.
Well, on Ubuntu and derivatives, Apache does not run as root. It runs as the user www-data.
So this applies to some Unix/Linux systems, not "most".
You started too far down the tree. Debian also uses www-data
The Mac OS *kernel* comes from AT&T via DEC and others. Anyway, thirty years ago, AT&T sold the Unix name, and 25 years ago it was transferred to the Open Group, so it's been 30 years since Unix and and AT&T parted ways, 25 years since the Unix name went open. The reason I say "the Unix name" is because when the name was originally sold and locked down, there were several different Unix operating systems. At least three, which were all Unix, all derived from the same code. One group kept the name, the Open Group via AT&T and Novell.
In other words, it's kinda like asking "is Sierra actually Mac? I didn't know know Wozniak wrote it." Yes, new programmers can work on some software and it's still real. There have been 30 years of programmers between AT&T and modern Unix. It's still Unix.
There is a 3,700 page set of detailed specifications called the Single Unix Specification. A Unix system is defined as an operating system which is certified to meet all of those specs. The spec includes things like a Bourne-shell derived /bin/sh called the POSIX shell, ncurses, and 1,123 kernel and library functions.
Note the Unix spec describes (in detail) what a Unix *operating system* is, how it behaves and what it provides. Less than half of the spec deals with the *kernel*. The specs say the operating system must provide all of these different functions, which must work exactly as described. It does not specify *who* must write the functions. That's been true for 25 years. The pedigree of the kernel does not matter at all in terms of whether it's Unix. If you and I wrote an exact copy of Solaris Unix, so we ended up with the same operating system, that would be a Unix, if we got it certified showing we made a faithful copy - we met all specs correctly.
As far as the pedigree of the *kernel* goes, back in the AT&T days, AT&T licensed DEC, Microsoft, and others to create Unix systems. There were three major Unix systems. OSF/1 was one of those, BSD was another. OSF/1 (Open Software Foundation 1) used a modified version of a kernel built, for Unix systems, based on BSD Unix code, called mach. Years later, more code from BSD, mach, and other sources in the NeXTSTEP operating system. When Apple bought Next, they replaced much of the kernel code from NextSTEP with code from a different, more direct, descendant of OSF, which had been renamed OSFMFK, then modified it extensively to create XNU.
So yes there is some mach code in XNU. Mach was largely a reworking of kernel code from the Berkeley UNIX tapes. All of these kernels were designed for, and used in, Unix systems.
A list of Unix (tm) operating systems can be found here:
https://www.opengroup.org/open...
Less than half of the spec deals with the *kernel*
Technically speaking, the SUSv3, which OSX on Intel procs conforms to, doesn't specify kernel functionality at all. It does specify "system interfaces", but they can be handled by an entirely user-space libc layer.
This is why Linux kernel based operating systems have been SUSv3 certified as well.
... as our apache instances are much much older than the affected versions. Phew! :')
Yeah I started to say "system interfaces, which can be provided by the kernel or libraries", but that paragraph was long enough already.
It would be rather difficult to make a Unix system using a kernel that wasn't designed to be at least Unix-like, though. You'd probably end up with either emulation or at least something like Wine, it would be non-native. The Linux kernel and the typical Unix system is designed to be like Unix, and therefore it's easy enough to make a Linux system comply.
Yet another HILARIOUS failure of the open sores development model. And STILL the libtards on slashdot will tell us that its better than closed source, despite all the FACTS and EVIDENCE that goes aganst there religious belief.
As I was drifting off to sleep I wrote:
> Not emulated, we know what Cygwin stands for.
As I was writing "Cygwin", half my brain was apparently thinking "Wine". *Wine* is not an an emulator. Lol.