Charles Fol, the security engineer that unearthed the Carpe Diem Apache HTTP Server bug (CVE-2019-0211), has released an exploit for it.
“This is between a POC and a proper exploit. I added tons of comments, it is meant to be educational as well,” he noted, but added that it “might fail for a dozen of reasons.”
Still, it might help attackers to create a more stable one and deploy it in attacks, so admins – and especially those administrating shared hosting environments – would do well to plug the hole if they haven’t already.
CVE-2019-0211 and several other vulnerabilities have been patched in Apache HTTP Server v2.4.39, which was released on April 1.
While it is “just” a privilege escalation vulnerability, it can be exploited to gain root access to the server by simply running a script.
As Mark Cox, one of the founders of the Apache Software Foundation, pointed out, it is “common to give unprivileged users the ability to write their own scripts (common in shared hosting, but also other environments) and this would allow them to get root.”
In shared environments, root access would allow attackers to access files shared by other users on the host environment.
In non-shared environments, the flaw still presents a threat as it could be concatenated with other flaws (e.g., a remote code execution bug) to achieve the same goal (root access).
CVE-2019-0211 affects only Apache HTTP Server on Unix systems. Debian, SuSE and Ubuntu have already provided package updates that plug the hole, and so has cPanel. Other affected distributions will likely follow suit very soon.