Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out in-depth analysis of the Apache HTTP component lifting vulnerability exploitation process, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Apache HTTP was found to have a local rights enhancement vulnerability (CVE-2019-0211). The author of the vulnerability immediately gave WriteUp and vulnerability EXP. Alpha Labs also conducted an in-depth analysis of EXP and shared the analyzed notes here in the hope that it will be helpful for everyone to understand the vulnerability. The following content is mainly explained step by step according to the implementation steps of EXP, and several difficult points in the process of utilization are explained in detail.

I. causes of loopholes

The code that led to the vulnerability has been introduced in the author's WriteUp, which is only briefly mentioned here, and most of the source code is omitted to reduce the reading burden.

In Apache's MPM prefork mode, the main server process is run with root privileges while managing a pool of low-privileged worker processes (worker) to process HTTP requests. The main process communicates with the worker through a shared memory (SHM).

1. When the Apache httpd server is gracefully restarted (graceful), the httpd main process kills the old worker and replaces them with the new worker, which calls the prefork_run () function to generate a new worker:

/ / server/mpm/prefork/prefork.cstatic int prefork_run (apr_pool_t * _ pconf, apr_pool_t * plog, server_rec * s) {/ * * / make_child (ap_server_conf, child_slot, ap_get_scoreboard_process (child_slot)-> bucket); / *. * /}

two。 Call make_child () in this function and use ap_get_scoreboard_process (child_slot)-> bucket as an argument. The make_child () function creates a new child process and reads the all_buckets array to my_bucket based on the bucket index:

/ / server/mpm/prefork/prefork.cstatic int make_child (server_rec * s, int slot, int bucket) {/ *... * / my_bucket = & all_ buckets [bucket]; / *... * / child_main (slot, bucket); / *. * /

3. Call child_main (), and if Apache listens on multiple ports, then the one in the SAFE_ACCEPT () macro will execute, where apr_proc_mutex_child_init () will execute:

/ / server/mpm/prefork/prefork.cstatic void child_main (int child_num_arg, int child_bucket) {/ *... * / status = SAFE_ACCEPT (& my_bucket- > mutex, apr_proc_mutex_lockfile (my_bucket- > mutex), pchild)) / *. /

4. The above function is further called (* mutex)-> meth- > child_init (mutex, pool, fname):

/ / apr-1.7.0//locks/unix/proc_mutex.cAPR_DECLARE (apr_status_t) apr_proc_mutex_child_init (apr_proc_mutex_t * * mutex, const char * fname, apr_pool_t * pool) {return (* mutex)-> meth- > child_init (mutex Pool, fname) }

The whole simplified process is as follows:

Prefork_run () make_child (bucket) my_bucket = & all_ buckets [bucket]; child_main (bucket) SAFE_ACCEPT (apr_proc_mutex_child_init) apr_proc_mutex_child_init (my_bucket- > mutex) mutex- > meth- > child_init (& my_bucket- > mutex) / / override the pointer to child_init () to point to the code

If we forge a prefork_child_bucket structure (that is, an element of the all_buckets array) in shared memory and modify the index bucket of the all_buckets array, the code on the third line can control the my_bucket to point to that structure.

Then execute my_bucket- > mutex- > meth- > child_init (mutex, pool, fname) in the subsequent code, and the meth structure contains pointers to multiple functions. Therefore, overwriting the pointer of the child_init function to the pointer of the function we want to execute can achieve the purpose of exploiting the vulnerability. At this time, the process is still in root permissions, and then lower its own permissions.

Second, vulnerability exploitation

The author divides the utilization process into four steps in his WriteUp, but the actual exp is a little more tedious and slightly different in order. The following is the process organized according to the exp execution steps, with some details added:

Use PHP to read the / proc/self/maps file of worker, and then locate the addresses of modules and functions needed to exploit some vulnerabilities.

Enumerate the / proc/*/cmdline and / proc/*/status files to get the PID of all worker processes

Take advantage of a UAF vulnerability in PHP to gain read / write access to SHM in the worker process

Traverse the memory of Apache and find the address of the all_buckets array according to the memory pattern matching

Because the location of the all_buckets will change after a graceful restart, it is necessary to calculate an "appropriate" bucket index to ensure that the all_ buckets still points to the fake prefork_child_bucket structure.

Constructing payload in SHM

Spray the remaining SHM area after payload, and make sure that after pointing to this area in step 5, all_ buckets can be transferred to payload.

Modify process_score- > bucket to the bucket calculated in step 5. In addition, in order to further improve the success rate, you can enumerate all the process_score structures in the SHM region, compare the process_score- > pid of each worker with the PID obtained in step 2, match the correct process_score structure, and modify the process_score- > bucket of each worker.

Waiting for Apache graceful restart to trigger vulnerability (automatically executed at 6:25 every morning, or manual restart of verification results)

The details are as follows:

2.1 Overview of exp

The get_all_addresses () and get_workers_pids () functions take several key memory addresses, respectively, and put the PID of worker into the global variables $addresses and $worker_pids for later use. It should be noted that if the addresses of shm and apache cannot be resolved when performing exp, it may be because the size of shm in your environment is not the same as the scope found in exp. You can check the maps file yourself, and then modify if ($msize > = 0x10000 & & $msize

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.