• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Mod_Gzip Debug Mode Vulnerabilities

Severity: HIGH

Description:

Mod_gzip is an Apache web server module that compresses web content before sending it to the client. Mod_gzip is not a standard module for Apache.

Multiple vulnerabilities were reported in Mod_gzip. The following issues exist when the software is run in debug mode:

Insufficient bounds checking of request data may lead to a stack overflow. If a remote user passes an excessive request for a file type (such as gzip) handled by the module, it may be possible to corrupt stack variables with specific values. This could lead to execution of malicious attacker-supplied instructions.

Mod_gzip is prone to a format string vulnerability when Apache logging facilities are used. This is due to missing format specifiers in the code responsible for logging requests for file types handled by the module. Exploitation could permit a remote attacker to overwrite arbitrary locations in memory with malicious data, potentially allowing for code execution.

Mod_gzip logs debugging information in files using predictable names. The following naming scheme is used when log files are created:

/tmp/t<PID>.log

By anticipating the value of the process ID, a local attacker could launch symlink attacks against other system files. It has been reported that some debugging information is logged as the superuser. This could allow for corruption of arbitrary files. If these files can be corrupted with custom data, then it will be possible to gain elevated privileges.

Exploitation of these issues could result in execution of malicious instructions or corruption of critical or sensitive files.

This record will be divided into multiple BIDs when further analysis of these issues is complete.

** The m00-mod_gzip.c exploit is malicious in nature and has been removed from this BID.

Affected Products:

• Mod_gzip Mod_gzip 1.3.17.1a
• Mod_gzip Mod_gzip 1.3.17.2a
• Mod_gzip Mod_gzip 1.3.19.1a
• Mod_gzip Mod_gzip 1.3.19.2a
• Mod_gzip Mod_gzip 1.3.26.1a

References:

• Mod_gzip: Mod_gzip Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.