From owner-freebsd-security Thu Jun 27 9:55: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7435937B400 for ; Thu, 27 Jun 2002 09:55:04 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g5RGt1bM009459; Thu, 27 Jun 2002 12:55:01 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jun 2002 12:55:01 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brett Glass Cc: bright@mu.org, odela01@ca.com, freebsd-security@FreeBSD.ORG Subject: Re: resolv and dynamic linking to compat libc In-Reply-To: <200206271617.KAA04440@lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Jun 2002, Brett Glass wrote: > Last night, I saw an attempted attackl that may have been an attempt to > subvert a build of Apache 2.0.39 built with the buggy libc. Apache had > spawned dozens of child processes, which all hung (they were trying to > double-free memory) and the server was completely locked up. As far as I > can tell, the intruder didn't make it in but did manage to mess up > Apache's unprivileged child processes -- a first step. > > Apache is one of the most likely targets for a libc exploit, because so > many servers run it. Beware, folks; the most important programs to > rebuild are daemons like Apache, which are often statically linked and > which you may or may not have installed as ports. (I built it straight > from the Apache Project tarball.) And if you've installed anything as a > binary package, be careful! As I've mentioned before on this list, the > packages on the FreeBSD servers are not rebuilt nightly (as they should > be). Every package on the public servers is probably STILL built with > the faulty libc. Whoever manages ftp.freebsd.org should immediately take > the package collection offline until the entire collection is rebuilt, > and then make sure the mirrors get it. It would also be nice to start > seeing those nightly builds (using make, of course, so that effort is > not wasted if nothing has changed). Apache is actually a fairly unlikely target for the libc resolver attack, because it's default shipped both as dynamically linked, and because it doesn't ship doing reverse DNS lookups by default for performance reasons. Far more likely targets are tools such as sendmail or sshd, which do predictable DNS lookups based on externally generated network traffic. While it is possible to configure Apache to perform DNS operations based on traffic (either explicitly in the configuration file to support hostnames in logs, or implicitly through access control rules based on hostnames), a scripted attack would likely not be very effective against Apache using this attack vector. We are aware of the ftp apache package problem and attempting to resolve it. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message