(Unofficial Patch is Available) Re: 'mod_gzip' Has Various Holes in Debug Mode That Let Remote Users Execute Arbitrary Code and May Yield Root Privileges to Local Users
|
|
SecurityTracker Alert ID: 1007892 |
|
SecurityTracker URL: http://securitytracker.com/id/1007892
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 7 2003
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
|
Fix Available: Yes
|
Version(s): 1.3.26.1a and prior
|
Description:
Several vulnerabilities were reported in mod_gzip in the module's debugging routines. A remote user may be able to execute arbitrary code. A local user may be able to gain root privileges on the system.
Matthew Murphy reported that these flaws can only be exploited when the module is compiled in debug mode.
It is reported that a remote user can request a long file name that is to be processed by gzip to trigger a buffer overflow in the logging mechanism. It may be possible to execute arbitrary code. A demonstration exploit is provided:
GET [overflow] HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate
It is also reported that a remote user can submit a specially crafted HTTP GET request to trigger a format string flaw in the use of the Apache logging mechanism (when Apache logging is used). A remote user may be able to execute arbitrary code. Some demonstration exploit examples are provided:
GET /cgi-bin/printenv.pl?x=%25n%25n%25n%25n%25n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate
or
GET /cgi-bin/printenv.pl?x=%n%n%n%n%n HTTP/1.1
Host: www.apachesite.com
Accept-Encoding: gzip, deflate
It is also reported that, when Apache logging is not used, the software uses unsafe temporary log files based on the process id (e.g., 't<PID>.log'). A local user can create a symbolic link from the temporary file name to a critical file on the system. Then, when mod_gzip is executed, the linked file will be overwritten. According to the report, mod_gzip logs some debug events with root privileges. A local user can potentially exploit this to gain root privileges on the system.
|
Impact:
A remote user may be able to execute arbitrary code with the privileges of the web server.
A local user may be able to overwrite files to gain elevated privileges, potentially including root privileges on the system.
|
Solution:
Zone-H released an unofficial patch, available at:
http://www.zone-h.org/download/file=4954/
To apply the patch, use the following command in the source directory type:
patch < mod_gzip.diff
Then, recompile mod_gzip.
|
Vendor URL: www.schroepl.net/projekte/mod_gzip/ (Links to External Site)
|
Cause:
Access control error, Boundary error, Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 7 Oct 2003 01:16:26 +0200
Subject: ZH2003-3SP (security patch): multiple vulnerabilities in mod_gzip
|
ZH2003-3SP (security patch): multiple vulnerabilities in mod_gzip 1.3.x debug
mode
Released: 7 October 2003
Name: mod_gzip
Affected versions: all versions (debug mode)
Issue: stack overflow, format string and insecure file creation
Author: Astharot (at Zone-H.org)
Vendor: http://sourceforge.net/projects/mod-gzip/
Description
**********
Zone-H Security Team wrote a patch for the unresolved vulnerabilities found in
the debug mode of mod_gzip. According to the informations found on mod_gzip
website, mod_gzip "is an Internet Content Acceleration module for the popular
Apache Web Server. It compresses the contents delivered to the client."
Details
**********
Matthew Murphy (mattmurphy[at]kc.rr.com) discovered multiple vulnerabilities in
the debug mode of mod_gzip. The first vulnerability is a stack overflow. It has
been reported that by requesting a long filename, a buffer overflow occours in
the logging mechanism. If it's possible overwrite the return address, it's
possible to execute arbitrary code with the privilege of the webserver. The
second vulnerability is a format string. A remote user can submit a specially
crafted HTTP GET request to trigger a format string flaw in the use of the
Apache logging mechanism. An attacker may be able to execute arbitrary code. The
third and last vuolnerability is an insecure file creation. A local user can
create a symbolic link from the temporary file name to a critical file. When
mod_gzip is executed, the linked file will be overwritten. mod_gzip logs some
debug events with root privileges, so a local user can potentially exploit this
to gain root privileges on the system.
Solution
**********
It's possible to download the patch here:
http://www.zone-h.org/download/file=4954/.
Download the patch, then in the source directory type:
patch < mod_gzip.diff
then recompile mod_gzip.
Link to this advisory:
http://www.zone-h.org/en/advisories/read/id=3225/
Astharot
--
http://www.zone-h.org - astharot@zone-h.org
PGP Key: http://www.gife.org/astharot.asc
Linux User #292132
|
|
