[UNIX] Multiple Vulnerabilities in mod_gzip Debugging Routines
From: SecuriTeam (support_at_securiteam.com)
Date: 06/03/03
- Previous message: SecuriTeam: "[REVS] Analysis of Remote Active Operating System Fingerprinting Tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 3 Jun 2003 19:05:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Multiple Vulnerabilities in mod_gzip Debugging Routines
------------------------------------------------------------------------
SUMMARY
<http://www.sourceforge.net/projects/mod-gzip> mod_gzip is "an Internet
Content Acceleration module for the popular Apache Web Server. It
compresses the contents delivered to the client. There is no need to
install any additional software on the client". The mod_gzip_printf()
procedure has three vulnerabilities that are exploitable only when the
module is compiled in its debug mode.
DETAILS
Vulnerable systems:
* mod_gzip version 1.3.26.1a
The vulnerabilities are listed in order of severity:
Stack overflow vulnerability
The log line is superfluously formatted into a 2048-byte buffer before
being passed off to Apache and/or file. By requesting a long file name
that the GZIP module handles, such as:
GET [overflow] HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate
The httpd child process handling your request segfaults. Consistent
crashing can be seen with a buffer of about 2500 characters. If the saved
return address is overwritten, code execution becomes trivial.
Format string vulnerability
Exploitable only when using the Apache log, this vulnerability allows
remote users to submit a specially crafted HTTP request that causes the
child to segfault:
GET /cgi-bin/printenv.pl?x=%25n%25n%25n%25n%25n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate
Alternatively,
GET /cgi-bin/printenv.pl?x=%n%n%n%n%n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate
Race condition (/tmp)
mod_gzip insecurely logs debugging information when the Apache log is not
used. It generates a predictably named log file and fails to check it for
unique naming. The log file naming is as follows:
t<PID>.log
An attacker who knew or guessed the PID of the httpd child servicing the
request could overwrite arbitrary files as the superuser. At some
instances during mod_gzip's initialization, it logs debug events as root.
A well-placed series of symbolic links could cause arbitrary files to be
overwritten. For example, linking /tmp/t760.log to /bin/ls would overwrite
/bin/ls if mod_gzip logged an event from a process with ID 760.
A similar possibility exists on NTFS file systems on Win32 via NTFS hard
links, but the default "Strengthen default permissions of internal system
objects" policy prevents this.
Impact:
The impact of these issues on production sites should be minimal. Users
running internet-accessible sites should immediately switch from the debug
build to the release build of the module.
Vendor Response:
After communicating with Christian Kruse and Michael Schroepl, Matthew was
told that the developers were not currently working on the project, and
that the issues Matthew had raised would be addressed with the next
version. As these issues have only a minor impact on most production
sites, Matthew decided to release this advisory to inform those still
running the debug build to make the change to release for the security and
stability of their sites.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] Analysis of Remote Active Operating System Fingerprinting Tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
