Mod_Survey SYSBASE vulnerability

From: Joel Palmius (joel.palmius_at_mh.se)
Date: 05/04/03

  • Next message: http-equiv_at_excite.com: "SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0"
    Date: Sun, 4 May 2003 23:14:53 +0200 (CEST)
    To: bugtraq@securityfocus.com
    
    

    The below was published on mod_survey's mailing list a few minutes ago.

    More info about Mod_Survey can be found on its home page, which is
    available at http://gathering.itm.mh.se/modsurvey/
                                                                                                                                                                                      
      // Joel

    ######################################################
    Mod_Survey Security Advisory 2003-05-04, SYSBASE flood
    ######################################################

    ABOUT MOD_SURVEY
    ----------------
    Mod_Survey is an Apache module which displays and handles questionnaires
    written in a special XML-based markup language. Mod_Survey is primarily
    targeted towards Linux/Unix, but is also possible to run in Windows.

    SUMMARY
    -------
    In all versions prior to 3.0.15-stable, it is possible for a remote evil
    person to fill the partition on which the central data repository
    resides, through sending access requests to non-existing surveys.

    ERROR CATEGORY
    --------------
    The error falls into the classes "Input Validation Error" and
    "Denial of Service". It is possible to exploit remotely.

    VULNERABLE
    ----------
    All versions from 3.0.0 up to (but not including) 3.0.15-stable are
    vulnerable. Thus the following versions have the problem:

      3.0.0
      3.0.1
      3.0.2
      3.0.3
      3.0.4
      3.0.5
      3.0.6
      3.0.7
      3.0.8
      3.0.9
      3.0.10
      3.0.11
      3.0.12
      3.0.13
      3.0.14
      3.0.14d
      3.0.14e

      3.0.15-pre1
      3.0.15-pre2
      3.0.15-pre3
      3.0.15-pre4
      3.0.15-pre5
      3.0.15-pre6

    Not vulnerable:

      3.0.15-stable

    SOLUTION
    --------
    All users are encouraged to upgrade to version 3.0.15-stable. However,
    if you are running 3.0.14 - 3.0.14e and do not wish to upgrade at this
    time, you could also download the "Document.pm" module from the
    mod_survey homepage (http://gathering.itm.mh.se/modsurvey/) and use it
    to replace the faulty one in the "Survey" subdir of the installation
    folder. This is not an option if you run versions prior to 3.0.14.

    Apache needs to be stopped (to a full stop, not "graceful") and then
    started again before changes in these modules take effect.

    LONGER DISCUSSION
    -----------------
    Mod_survey does per default store all data files, such as cache, keys
    and submitted questionnaire answers, in a data repository, "SYSBASE".
    In practise this repository is a subdir of the central data repository.

    SYSBASE is created when the survey file is first accessed, and is given
    the full path of the survey as name (with slashes converted to
    underscores).

    Unfortunately, the check whether the survey file actually exists did
    not take place until *after* the repository was initialized. Thus, an
    empty SYSBASE would be set up even if the access concerned a
    non-existent survey file.

    In normal operation, this might look rather sloppy, but would not a be
    problem, since the occasional mistyped path would only result in an
    additional empty directory. However, while the directory is "empty" in
    the sense that it does not contain any data from the beginning, it still
    occupies space in the file system. A script with a loop that produces
    access requests to new non-existent surveys several times per second
    would pretty soon fill the partition.

    The consequences of this differ depending on which platform the system
    is installed, and which partition contains the data repository. The usual
    consequence would simply be that no data could be written to the
    partition, thus stopping further data collection. However, in theory,
    a filled partition could down a system. An example would be on a unixoid
    system where the data repository resided somewhere in /var (the default
    location is in /usr/local/mod_survey/data).

    EXPLOIT
    -------
    An exploit exists and is shown to be functional, but has to our knowledge
    not reached the public. However, given the nature of the problem, anyone
    with a minimum of knowledge of any scripting language could easily
    reproduce the exploit from the above information.

    IMPACT
    ------
    All current installations of mod_survey are vulnerable and could thus at
    least be attacked with a DoS attack exploiting the above.

    It is conceivable that the problem could also be used to attack bugs in
    the file system itself, as an example through injecting control chars
    that the operating system cannot handle, although no exploit for this has
    yet been proposed. An upgrade to 3.0.15-stable removes the theoretical
    possibility for this problem too though.

    CREDITS
    -------
    The problem was first discovered and discussed by Jesse Adelman of the
    University of California, San Francisco.


  • Next message: http-equiv_at_excite.com: "SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0"