Bug 169615 - security hole in kernel/apache
security hole in kernel/apache
Status: CLOSED NOTABUG
Product: Fedora Legacy
Classification: Retired
Component: kernel (Show other bugs)
rhl7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://isec.pl/vulnerabilities/isec-0...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-30 05:51 EDT by V
Modified: 2007-04-18 13:32 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-26 11:45:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description V 2005-09-30 05:51:08 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
Hello,

I run 7.3 rh with all updates form fedora legacy and my system was hacked with uselib24 exploit :/ I found 10 processes runing uselib24 with user apache.
So, it is kernel and apache hacked.

Version-Release number of selected component (if applicable):
2.4.20-43.7.legacy

How reproducible:
Always

Steps to Reproduce:
use rh7.3 :(

Expected Results:  this should be fixed.

Additional info:
Comment 1 David Eisenstein 2005-10-26 04:58:57 EDT
Hello V,

Sorry it has taken awhile to respond to your bug report.

It may very well be that the processes you see running a program called 
"uselib24" under user apache are caused by an exploit to buggy PHP or Perl 
scripts on your website.  For example, see the following URL, that shows
how a server had programs called "uselib24" running as user apache, due to 
PHPBB2 exploits and/or buggy perl scripts:

<http://www.artoo.net/forum/viewtopic.php?p=828&sid=7bd81e80d1be78d0e46a7cd7212707cf>

In the example at artoo.net, the fact that those programs are running has
less to do with the kernel, and more to do with the buggy scripts which are
allowing external people to download and run programs as user apache.  I 
suspect you have been bitten by buggy PHP or PERL scripts like artoo.net was.
I'd look in your webserver logs for tell-tale examples like artoo.net.

You apparently are running version 2.4.20-43.7.legacy of the Linux kernel.
Neither this version, nor the prior version 2.4.20-42.7.legacy, should be
susceptible to being rooted via any uselib() exploits which affect earlier
versions of the Linux kernel. [1]

You should be protected from "uselib24" processes actually getting root
access, if indeed they are attempting to use a uselib() exploit.  That's
the best we can do with kernel updates.

Marc, Jesse, I would recommend closing this ticket NOTABUG.  

V, if you feel that this is clearly a kernel bug, you are welcome to
reopen it.

=====
[1]  Here's a URL to the advisory that fixes root privilege escalation from
     uselib() exploits, CAN-2004-1235:
<http://www.redhat.com/archives/fedora-legacy-announce/2005-February/msg00016.html>.

Note You need to log in before you can comment on or make changes to this bug.