Local root rights through vulnerability in Debian's Apache
On the Full Disclosure mailing list, user Richard Thrippleton has reported a somewhat unusual vulnerability in the Debian system through which a user can obtain root rights. According to this flaw report the Apache web server of the Debian system does not abdicate the terminal or the shell from which it was launched – Apache becomes the standard point of input for the shell.
If Apache is started manually with the aid of a root shell and the shell is subsequently not closed, a non-privileged user can later use special CGI scripts to send strings of his own back to the terminal and have them executed there.
The bug was found in the Apache Version 1.3.34-4 employed under Debian. Other distributions and the original Apache do not contain it. Although the problem has been the subject of discussion in the official Debian Bug Report logs, no official patch is as yet available. In his posting Mr. Thrippleton also complains about the developers' apparent lack of interest in removing the problem. "It is believed that most of the developers are tied up in more urgent work" such as, Mr. Thrippleton sarcastically remarks, porting Debian to the old pocket calculator TI-86.
Until there is a patch the only thing to do is to close the shell after starting or restarting Apache.
- Local user to root escalation in apache 1.3.34 (Debian only), flaw report by Richard Thrippleton