SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   mod_gzip Vendors:   Remote Communications, Inc.
'mod_gzip' Has Various Holes in Debug Mode That Let Remote Users Execute Arbitrary Code and May Yield Root Privileges to Local Users
SecurityTracker Alert ID:  1006896
SecurityTracker URL:  http://securitytracker.com/id/1006896
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 2 2003
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Exploit Included:  Yes  
Version(s): 1.3.26.1a and prior
Description:   Several vulnerabilities were reported in mod_gzip in the module's debugging routines. A remote user may be able to execute arbitrary code. A local user may be able to gain root privileges on the system.

Matthew Murphy reported that these flaws can only be exploited when the module is compiled in debug mode.

It is reported that a remote user can request a long file name that is to be processed by gzip to trigger a buffer overflow in the logging mechanism. It may be possible to execute arbitrary code. A demonstration exploit is provided:

GET [overflow] HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate

It is also reported that a remote user can submit a specially crafted HTTP GET request to trigger a format string flaw in the use of the Apache logging mechanism (when Apache logging is used). A remote user may be able to execute arbitrary code. Some demonstration exploit examples are provided:

GET /cgi-bin/printenv.pl?x=%25n%25n%25n%25n%25n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate

or

GET /cgi-bin/printenv.pl?x=%n%n%n%n%n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate

It is also reported that, when Apache logging is not used, the software uses unsafe temporary log files based on the process id (e.g., 't<PID>.log'). A local user can create a symbolic link from the temporary file name to a critical file on the system. Then, when mod_gzip is executed, the linked file will be overwritten. According to the report, mod_gzip logs some debug events with root privileges. A local user can potentially exploit this to gain root privileges on the system.

Impact:   A remote user may be able to execute arbitrary code with the privileges of the web server.

A local user may be able to overwrite files to gain elevated privileges, potentially including root privileges on the system.

Solution:   No solution was available at the time of this entry.

According to the report, mod_gzip is not currently supported by the vendor, but the vendor plans to address these issues in the next product version when work on the project is continued.

Vendor URL:  www.schroepl.net/projekte/mod_gzip/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 7 2003 (Unofficial Patch is Available) Re: 'mod_gzip' Has Various Holes in Debug Mode That Let Remote Users Execute Arbitrary Code and May Yield Root Privileges to Local Users
An unofficial patch is available from Zone-H.



 Source Message Contents

Subject:  [Full-Disclosure] Mod_gzip Debug Mode Vulnerabilities


Multiple Vulnerabilities in mod_gzip Debugging Routines

I. Synopsis

Affected Systems: mod_gzip 1.3.26.1a and prior
Risk:
    * Development: High
    * Production: Minimal
Developer URL: http://www.sourceforge.net/projects/mod-gzip
Status: Vendor is not supporting project at this time.

II. Product Description

"mod_gzip is an Internet Content Acceleration module for the popular Apache
Web Server. It compresses the contents delivered to the client. There is no
need to install any additional software on the client!"

(Quote from developer page)

III. Vulnerability Description

The mod_gzip_printf() procedure has three vulnerabilities that are
exploitable only when the module is compiled in its debug mode.  The
vulnerabilities are listed in order of severity:

* Stack overflow vulnerability

The log line is superfluously formatted into a 2048 byte buffer before being
passed off to Apache and/or file.  By requesting a long file name that the
GZIP module handles, such as:

GET [overflow] HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate

The httpd child handling your request will segfault.  Consistent crashing
can be seen with a buffer of about 2500 characters.  If the saved return
address is overwritten, code execution becomes trivial.

* Format string vulnerability

Exploitable only when using the Apache log, this vulnerability allows for a
remote user to submit a specially-crafted HTTP request that causes the child
to segfault:

GET /cgi-bin/printenv.pl?x=%25n%25n%25n%25n%25n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate

OR

GET /cgi-bin/printenv.pl?x=%n%n%n%n%n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate

* Race condition (/tmp)

mod_gzip insecurely logs debugging information when the Apache log is not
used.  It generates a predictably-named log file and fails to check it for
unique naming.  The log file naming is as follows:

t<PID>.log

An attacker who knew or guessed the PID of the httpd child servicing the
request could overwrite arbitrary files as the superuser.  At some instances
during mod_gzip's initialization, it logs debug events as root.  A
well-placed series of symbolic links could cause arbitrary files to be
overwritten.  For example, linking /tmp/t760.log to /bin/ls would overwrite
/bin/ls if mod_gzip logged an event from a process with ID 760.

A similar possibility exists on NTFS file systems on Win32 via NTFS hard
links, but the default "Strengthen default permissions of internal system
objects" policy prevents this.

IV. Impact

The impact of these issues on production sites should be minimal.  Users
running internet-accessible sites should immediately switch from the debug
build to the release build of the module.

V. Vendor Response

After communicating with Christian Kruse and Michael Schroepl, I was told
that the developers weren't currently working on the project, and that the
issues I had raised would be addressed with the next version.  As these
issues have only a minor impact on most production sites, I decided to
release this advisory to inform those still running the debug build to make
the change to release for the security and stability of their sites.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC