[Mod_gzip] Fwd: remote exploit for mod_gzip (with debug_mode)

Christian Kruse mod_gzip@lists.over.net
Tue, 2 Dec 2003 18:10:57 +0100 

--=.yEZ4tDg3:Axy)2
Content-Type: multipart/mixed;
 boundary="Multipart_Tue__2_Dec_2003_18:10:57_+0100_084fa020"


--Multipart_Tue__2_Dec_2003_18:10:57_+0100_084fa020
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hoi,

On Fri, 21 Nov 2003 16:27:10 +0100 you wrote:

> From the old mod_gzip page, it seems that the bug exploited is not
> actually present in any normal installations of mod_gzip, but only in
> the"debug code" which is not enabled by default; see
> http://www.schroepl.net/projekte/mod_gzip/

This is correct.

> For now, I am assuming that installations of mod_gzip 1.3.26 (WITHOUT
> debug_mode) are safe. If anyone has more information on this, I would
> appreciate to know!

This is correct, too. The remote exploit is based on some buffer
overflows in the debugging functions of mod_gzip. sprintf() is used
instead of snprintf() and the size of the buffer is not checked:

void mod_gzip_printf(const char *fmt, ... ) { 
 int   l;

 va_list ap;

 char log_line[2048];

 va_start( ap, fmt );

 l = vsprintf(log_line,2048,fmt,ap);

 va_end(ap);

 ap_log_error("",0,APLOG_NOERRNO|APLOG_DEBUG, mod_gzip_server_now,
log_line);

 return;
}

This section of code can be excuted if:

a) MOD_GZIP_DEBUG1 is defined
b) MOD_GZIP_LOG_IS_APACHE_LOG is defined

This is *not* the case by default.

BTW, some must be mad to use the debugging code on a productive server.
This *really* costs a lot of performance. Your apache-logs will be
spammed by a *lot* of debugging messages.

By the way, the mod_gzip debug code has some more vulnerabilities.
Perhaps you may want to read

  http://seclists.org/lists/bugtraq/2003/Jun/0024.html


Greetings,
 CK

-- 
Han Solo:
	Oh! I thought they smelled bad on the *outside*!

--Multipart_Tue__2_Dec_2003_18:10:57_+0100_084fa020
Content-Type: application/pgp-signature;
 name="00000000.mimetmp"
Content-Disposition: attachment;
 filename="00000000.mimetmp"
Content-Transfer-Encoding: base64

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuMi4zIChHTlUv
TGludXgpCgppRDhEQlFFL3pNRUpueDlYQVNGU29MSVJBdXAxQUo5WlFpdlFMb05md3pERlVhb1Z2
Wm4wOXdQVHVnQ2NDaGhXCm5CNTZNbVdyN2ZNZFdJaDlwejZRSWgwPQo9Ti94TwotLS0tLUVORCBQ
R1AgU0lHTkFUVVJFLS0tLS0KCg==

--Multipart_Tue__2_Dec_2003_18:10:57_+0100_084fa020--

--=.yEZ4tDg3:Axy)2
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/zMelnx9XASFSoLIRAv0lAJ9nzKN0rPfvdLksNN9YlIwNzWiwWwCfenVb
24Y1EkxQ+IMMPGEVi5yVvuQ=
=Qu49
-----END PGP SIGNATURE-----

--=.yEZ4tDg3:Axy)2--