[Full-Disclosure] Mod_gzip Debug Mode Vulnerabilities

From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: 06/01/03

  • Next message: Cesar: "[Full-Disclosure] Yahoo! Audio Conferencing ActiveX control buffer overflow"
    To: "SecurITeam News" <news@securiteam.com>, "BugTraq" <bugtraq@securityfocus.com>, "Full Disclosure" <full-disclosure@lists.netsys.com>, "VulnWatch" <vulnwatch@vulnwatch.org>
    Date: Sun, 1 Jun 2003 15:10:13 -0500

    Multiple Vulnerabilities in mod_gzip Debugging Routines

    I. Synopsis

    Affected Systems: mod_gzip and prior
        * Development: High
        * Production: Minimal
    Developer URL: http://www.sourceforge.net/projects/mod-gzip
    Status: Vendor is not supporting project at this time.

    II. Product Description

    "mod_gzip is an Internet Content Acceleration module for the popular Apache
    Web Server. It compresses the contents delivered to the client. There is no
    need to install any additional software on the client!"

    (Quote from developer page)

    III. Vulnerability Description

    The mod_gzip_printf() procedure has three vulnerabilities that are
    exploitable only when the module is compiled in its debug mode. The
    vulnerabilities are listed in order of severity:

    * Stack overflow vulnerability

    The log line is superfluously formatted into a 2048 byte buffer before being
    passed off to Apache and/or file. By requesting a long file name that the
    GZIP module handles, such as:

    GET [overflow] HTTP/1.1
    Host: www.apachesite.com
    Accept-Encoding: gzip, deflate

    The httpd child handling your request will segfault. Consistent crashing
    can be seen with a buffer of about 2500 characters. If the saved return
    address is overwritten, code execution becomes trivial.

    * Format string vulnerability

    Exploitable only when using the Apache log, this vulnerability allows for a
    remote user to submit a specially-crafted HTTP request that causes the child
    to segfault:

    GET /cgi-bin/printenv.pl?x=%25n%25n%25n%25n%25n HTTP/1.1
    Host: www.apachesite.com
    Accept-Encoding: gzip, deflate


    GET /cgi-bin/printenv.pl?x=%n%n%n%n%n HTTP/1.1
    Host: www.apachesite.com
    Accept-Encoding: gzip, deflate

    * Race condition (/tmp)

    mod_gzip insecurely logs debugging information when the Apache log is not
    used. It generates a predictably-named log file and fails to check it for
    unique naming. The log file naming is as follows:


    An attacker who knew or guessed the PID of the httpd child servicing the
    request could overwrite arbitrary files as the superuser. At some instances
    during mod_gzip's initialization, it logs debug events as root. A
    well-placed series of symbolic links could cause arbitrary files to be
    overwritten. For example, linking /tmp/t760.log to /bin/ls would overwrite
    /bin/ls if mod_gzip logged an event from a process with ID 760.

    A similar possibility exists on NTFS file systems on Win32 via NTFS hard
    links, but the default "Strengthen default permissions of internal system
    objects" policy prevents this.

    IV. Impact

    The impact of these issues on production sites should be minimal. Users
    running internet-accessible sites should immediately switch from the debug
    build to the release build of the module.

    V. Vendor Response

    After communicating with Christian Kruse and Michael Schroepl, I was told
    that the developers weren't currently working on the project, and that the
    issues I had raised would be addressed with the next version. As these
    issues have only a minor impact on most production sites, I decided to
    release this advisory to inform those still running the debug build to make
    the change to release for the security and stability of their sites.

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Cesar: "[Full-Disclosure] Yahoo! Audio Conferencing ActiveX control buffer overflow"

    Relevant Pages