Apache HTTP Server 本地提权漏洞(CVE-2019-0211)深度分析与利用教学<\/h1>

漏洞概述<\/h2>
CVE-2019-0211是Apache HTTP Server中的一个本地提权漏洞，影响版本从2.4.17(2015年10月9日发布)到2.4.38(2019年4月1日发布)。该漏洞允许低权限用户(如www-data)提升至root权限，主要通过数组越界访问导致的任意函数调用实现。<\/p>

漏洞背景<\/h2>

受影响的模块<\/h3>

mod_prefork<\/li>
mod_worker<\/li>

mod_event<\/li> <\/ul>

触发条件<\/h3>
当Apache正常重新启动(`apache2ctl graceful<\/code>)时触发漏洞。在标准Linux配置中，logrotate程序每天6:25会自动运行重启命令来重置日志文件句柄。<\/p>`

技术细节分析<\/h2>
Apache MPM prefork架构<\/h3>

主服务器进程以root权限运行<\/li>
管理单线程、低权限(www-data)的工作进程池<\/li>
使用共享内存区域(SHM)即scoreboard来存储worker信息<\/li>
<\/ul>
关键数据结构<\/h3>

共享内存结构(scoreboard)<\/strong>:<\/li>
<\/ol>
struct<\/span> process_score {
<\/span><\/span>    pid_t pid;
<\/span><\/span>    ap_generation_t generation;
<\/span><\/span>    char<\/span> quiescing;
<\/span><\/span>    char<\/span> not_accepting;
<\/span><\/span>    apr_uint32_t connections;
<\/span><\/span>    apr_uint32_t write_completion;
<\/span><\/span>    apr_uint32_t lingering_close;
<\/span><\/span>    apr_uint32_t keep_alive;
<\/span><\/span>    apr_uint32_t suspended;
<\/span><\/span>    int<\/span> bucket;  \/\/ 关键字段 - 用于all_buckets数组索引
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
prefork_child_bucket结构<\/strong>:<\/li>
<\/ol>
struct<\/span> prefork_child_bucket {
<\/span><\/span>    ap_pod_t *<\/span>pod;
<\/span><\/span>    ap_listen_rec *<\/span>listeners;
<\/span><\/span>    apr_proc_mutex_t *<\/span>mutex;  \/\/ 关键指针
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
apr_proc_mutex_t结构<\/strong>:<\/li>
<\/ol>
struct<\/span> apr_proc_mutex_t {
<\/span><\/span>    apr_pool_t *<\/span>pool;
<\/span><\/span>    const<\/span> apr_proc_mutex_unix_lock_methods_t *<\/span>meth;  \/\/ 关键函数表指针
<\/span><\/span><\/span><\/span>    int<\/span> curr_locked;
<\/span><\/span>    char<\/span> *<\/span>fname;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
函数表结构<\/strong>:<\/li>
<\/ol>
struct<\/span> apr_proc_mutex_unix_lock_methods_t {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    apr_status_t (*<\/span>child_init)(apr_proc_mutex_t **<\/span>, apr_pool_t *<\/span>, const<\/span> char<\/span> *<\/span>);  \/\/ 目标函数指针
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>

恶意worker可以修改共享内存中的bucket索引，使其指向攻击者控制的结构<\/li>
当Apache优雅重启时，主进程会：

杀死原有worker<\/li>
使用被篡改的bucket索引访问all_buckets数组<\/li>
调用mutex->meth->child_init()<\/code>函数<\/li>
<\/ul>
<\/li>
由于没有边界检查，攻击者可控制该函数调用链，最终以root权限执行任意代码<\/li>
<\/ol>
漏洞利用步骤<\/h2>
1. 获取worker进程的R\/W访问权限<\/h3>
使用PHP UAF漏洞(CVE-2019-6977或其他0day)来读写内存：<\/p>
class<\/span> X<\/span> extends<\/span> DateInterval<\/span> implements<\/span> JsonSerializable<\/span> {
<\/span><\/span>  public<\/span> function<\/span> jsonSerialize<\/span>() {
<\/span><\/span>    global<\/span> $y, $p;
<\/span><\/span>    unset<\/span>($y[0<\/span>]);
<\/span><\/span>    $p =<\/span> $this-><\/span>y<\/span>;
<\/span><\/span>    return<\/span> $this;
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> get_aslr<\/span>() {
<\/span><\/span>  global<\/span> $p, $y;
<\/span><\/span>  $p =<\/span> 0<\/span>;
<\/span><\/span>  $y =<\/span> [new<\/span> X<\/span>('PT1S'<\/span>)];
<\/span><\/span>  json_encode<\/span>([1234<\/span> =><\/span> &<\/span>$y]);
<\/span><\/span>  return<\/span> $p;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 定位关键内存区域<\/h3>

共享内存区域<\/strong>：通过\/proc\/self\/maps<\/code>查找rw-s区域<\/li>
all_buckets数组<\/strong>：通过匹配已知结构在内存中搜索<\/li>
PHP堆布局<\/strong>：利用zend_string结构扩展读写范围<\/li>
<\/ul>
3. 构造恶意结构<\/h3>
在共享内存中构造以下链式结构：<\/p>

伪造的prefork_child_bucket<\/code>结构<\/li>
指向伪造的apr_proc_mutex_t<\/code>结构<\/li>
伪造的apr_proc_mutex_unix_lock_methods_t<\/code>函数表<\/li>
将child_init<\/code>指针指向目标函数(zend_object_std_dtor)<\/li>
<\/ol>
4. 喷射共享内存<\/h3>
由于all_buckets地址在重启后会变化，需要在SHM中广泛布置恶意结构：<\/p>

利用多个worker的process_score结构<\/li>
为每个worker设置不同的bucket索引，覆盖更多可能的内存区域<\/li>
<\/ul>
5. 等待触发<\/h3>

等待logrotate在6:25触发优雅重启<\/li>
重启过程中漏洞自动触发，执行恶意代码<\/li>
<\/ul>
利用成功率提升技巧<\/h2>

增加worker数量<\/strong>：更多worker意味着更高的成功率<\/li>
广泛的内存喷射<\/strong>：覆盖更多可能的内存地址<\/li>
多次尝试<\/strong>：失败后可等待下次重启自动重试<\/li>
结构重叠<\/strong>：将zend_object和apr_proc_mutex_t结构重叠布置<\/li>
<\/ol>
漏洞时间线<\/h2>

2019-02-22：漏洞发现并报告<\/li>
2019-02-25：Apache确认漏洞<\/li>
2019-03-07：补丁开发完成<\/li>
2019-04-01：Apache 2.4.39发布，修复漏洞<\/li>
<\/ul>
防御措施<\/h2>

升级到Apache HTTP Server 2.4.39或更高版本<\/li>
限制PHP模块的功能<\/li>
使用权限分离，将worker进程以非特权用户运行<\/li>
监控共享内存的异常修改<\/li>
<\/ol>
教学总结<\/h2>
CVE-2019-0211是一个典型的条件竞争漏洞，结合了：<\/p>

共享内存操作缺乏边界检查<\/li>
权限管理不当<\/li>
优雅重启机制的设计缺陷<\/li>
<\/ol>
通过精心构造的内存布局和利用PHP的UAF漏洞，攻击者可以实现可靠的本地提权。这个案例展示了现代服务器软件中复杂漏洞的利用方式，强调了安全开发中边界检查和权限控制的重要性。<\/p>

Apache HTTP Server 本地提权漏洞(CVE-2019-0211)深度分析与利用教学<\/h1>

漏洞背景<\/h2>

触发条件<\/h3> 当Apache正常重新启动(apache2ctl graceful<\/code>)时触发漏洞。在标准Linux配置中，logrotate程序每天6:25会自动运行重启命令来重置日志文件句柄。<\/p>

漏洞利用步骤<\/h2>

触发条件<\/h3>
当Apache正常重新启动(`apache2ctl graceful<\/code>)时触发漏洞。在标准Linux配置中，logrotate程序每天6:25会自动运行重启命令来重置日志文件句柄。<\/p>`