Date: Thu, 27 Jun 2002 12:55:01 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Brett Glass <brett@lariat.org> Cc: bright@mu.org, odela01@ca.com, freebsd-security@FreeBSD.ORG Subject: Re: resolv and dynamic linking to compat libc Message-ID: <Pine.NEB.3.96L.1020627125013.6971E-100000@fledge.watson.org> In-Reply-To: <200206271617.KAA04440@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Jun 2002, Brett Glass wrote: > Last night, I saw an attempted attackl that may have been an attempt to > subvert a build of Apache 2.0.39 built with the buggy libc. Apache had > spawned dozens of child processes, which all hung (they were trying to > double-free memory) and the server was completely locked up. As far as I > can tell, the intruder didn't make it in but did manage to mess up > Apache's unprivileged child processes -- a first step. > > Apache is one of the most likely targets for a libc exploit, because so > many servers run it. Beware, folks; the most important programs to > rebuild are daemons like Apache, which are often statically linked and > which you may or may not have installed as ports. (I built it straight > from the Apache Project tarball.) And if you've installed anything as a > binary package, be careful! As I've mentioned before on this list, the > packages on the FreeBSD servers are not rebuilt nightly (as they should > be). Every package on the public servers is probably STILL built with > the faulty libc. Whoever manages ftp.freebsd.org should immediately take > the package collection offline until the entire collection is rebuilt, > and then make sure the mirrors get it. It would also be nice to start > seeing those nightly builds (using make, of course, so that effort is > not wasted if nothing has changed). Apache is actually a fairly unlikely target for the libc resolver attack, because it's default shipped both as dynamically linked, and because it doesn't ship doing reverse DNS lookups by default for performance reasons. Far more likely targets are tools such as sendmail or sshd, which do predictable DNS lookups based on externally generated network traffic. While it is possible to configure Apache to perform DNS operations based on traffic (either explicitly in the configuration file to support hostnames in logs, or implicitly through access control rules based on hostnames), a scripted attack would likely not be very effective against Apache using this attack vector. We are aware of the ftp apache package problem and attempting to resolve it. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020627125013.6971E-100000>