From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 11 Jan 2006 10:06:22 +0200
Subject: [UNIX] Apache mod_auth_pgsql Format String Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060111093313.7F1845826@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache mod_auth_pgsql Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
Apache2 Module <http://www.giuseppetanzilli.it/mod_auth_pgsql2/>;
mod_auth_pgsql "allows user authentication (and can log authentication
requests) against information stored in a PostgreSQL database."
Exploitation of a format string vulnerability in mod_auth_pgsql
authentication module for the Apache could allow the execution of
arbitrary code in the context of the httpd.
DETAILS
Vulnerable Systems:
* mod_auth_pgsql version 2.0.2b1 and prior
Immune Systems:
* mod_auth_pgsql version 2.0.3
The mod_auth_pgsql module for the Apache httpd is a third party
authentication module which allows authentication details to be stored in
a PostgreSQL database. Although this is a third party module, it is
available as a package for several distributions, including Red Hat Linux,
Debian GNU/Linux, FreeBSD and others.
Due to a design error, many of the logging functions in this module take
user supplied values as input to the format specifier:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
When part of the error message contains a format string specifier it is
processed. For example, for the username "%x%x%x%x%x", output similar to
the following may appear in the 'error_log' file for the targetted httpd:
[Tue Sep 23 11:34:38 2005] [error] [client 10.1.10.11] mod_auth_pgsql:
Password for user 406869a083b3c900083b3cb3 not found (PG-Authoritative)
The sequence of hex characters is the result of the ap_log_rerror()
function parsing the input string as a format string, and contains values
from the stack. When the name supplied causes an invalid memory access,
the child process may exit with a logged error similar to:
[Tue Sep 24 11:25:53 2005] [notice] child pid 12345 exit signal
Segmentation fault (11)
Successful exploitation allows remote attackers to gain local access to
the vulnerable system in the context of the affected httpd. In order to
exploit this vulnerability, the attacker must know the URI of at least one
resource on the web server which is configured to use this module for
authentication. This module is not installed by default, but is available
as a package from some vendors, including Red Hat. Additional
configuration is required before the module is active after installing.
While format string exploit techniques are well documented, most
discussions of and exploits for vulnerabilities containing them rely on
the user supplied string being located on the stack. The reason for this
is that it allows the attacker to directly supply pointers to the memory
locations they wish to modify via the %n format specifier. As this module
does not store the format string on the stack, this may make exploitation
more difficult as techniques for exploiting this kind of format string are
not as commonly known. However, such information is publicly available.
Successful exploitation would allow a remote unauthenticated user access
to an affected system with the permissions of the httpd itself.
Workaround:
Disable the module, and use another form of authentication for the
affected resource.
In order to disable the module on Red Hat systems, execute the following
commands as root:
cd /etc/httpd/conf.d
mv auth_pgsql.conf auth_pgsql.disabled
If you have any '.htaccess' files, you may also have to disable any
authentication with references to mod_auth_pgsql directives. These
directives all start with 'Auth_PG_'.
At this point, you should add another authentication method for the
resources that were protected by this module. The exact operations to
perform are dependent on which authentication method you choose to use.
After performing these steps, restart the httpd by executing the following
command as root:
/sbin/service httpd restart
For other distributions, the general steps are the same (disable the
module, add another form of authentication, and restart the httpd),
however the details may vary slightly.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656 >
CVE-2005-3656
Disclosure Timeline:
11/15/2005 Initial vendor notification
11/22/2005 Initial vendor response
01/09/2006 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@lists.idefense.com.> iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=367>;
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=367
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
