LiteSpeed Web Server – Privilege Escalation Vulnerability (R911-0084)

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: LiteSpeed Web Server
Website: http://www.litespeedtech.com
Vulnerable Version: 4.2.4
Fixed Version: 4.2.5
CVE:
R911: 0084
Date: 2013-10-31
By: Rack911

Product Description:

LiteSpeed Web Server (LSWS) is a high-performance Apache drop-in replacement. LSWS is the 4th most popular web server on the internet and the #1 commercial web server. Upgrading your web server to LiteSpeed Web Server will improve your performance and lower operating costs.

Vulnerability Description:

A privilege escalation is possible with LiteSpeed Web Server due to a poor choice of using /tmp to store Process ID information. When the web server is configured to run PHP without suEXEC, an attacker is able to write to the /tmp/lshttpd directory and use a carefully crafted exploit to obtain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against LiteSpeed Web Server v4.2.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in LiteSpeed Web Server v4.2.5.

Vendor Contact Timeline:

2013-10-14: Vendor contacted via email.
2013-10-14: Vendor confirms vulnerability.
2013-10-30: Vendor issues update.
2013-10-31: Rack911 issues security advisory.