mod_gzip Debug Mode mod_gzip_printf Remote Format String

2003-06-01T00:00:00
ID OSVDB:10508
Type osvdb
Reporter OSVDB
Modified 2003-06-01T00:00:00

Description

Vulnerability Description

A remote format string vulnerablity exists in mod_gzip. The issue is due to an error of mod_gzip_printf() for Apache logging machanism. By sending a specially crafted HTTP GET request with an "Accept-Encoding: gzip" header, a remote attacker can cause a denial of service or execute arbitrary code with the priviledges of webserver, resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Zone-H has released a patch to address this vulnerability.

Short Description

A remote format string vulnerablity exists in mod_gzip. The issue is due to an error of mod_gzip_printf() for Apache logging machanism. By sending a specially crafted HTTP GET request with an "Accept-Encoding: gzip" header, a remote attacker can cause a denial of service or execute arbitrary code with the priviledges of webserver, resulting in a loss of integrity.

Manual Testing Notes

GET /cgi-bin/printenv.pl?x=%25n%25n%25n%25n%25n HTTP/1.1 Host: www.apachesite.com Accept-Encoding: gzip, deflate

OR

GET /cgi-bin/printenv.pl?x=%n%n%n%n%n HTTP/1.1 Host: www.apachesite.com Accept-Encoding: gzip, deflate

References:

Other Solution URL: http://www.zone-h.org/download/file=4954/ Nessus Plugin ID:11686 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0093.html ISS X-Force ID: 12163 Generic Exploit URL: http://www.securiteam.com/exploits/6J00O0U8UK.html CVE-2003-0843