From owner-freebsd-security Thu Jun 20 3:44:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from ds.express.ru (ds.express.ru [212.24.32.7]) by hub.freebsd.org (Postfix) with ESMTP id 340CF37B404 for ; Thu, 20 Jun 2002 03:44:37 -0700 (PDT) Received: from localhost.express.ru ([127.0.0.1] helo=localhost) by ds.express.ru with esmtp (Exim 2.12 #8) id 17KzQZ-000Ajl-00 for freebsd-security@freebsd.org; Thu, 20 Jun 2002 14:44:35 +0400 Date: Thu, 20 Jun 2002 14:44:35 +0400 (MSD) From: Maxim Kozin To: freebsd-security@freebsd.org Subject: Re: Apache expoit? In-Reply-To: <2147483647.1024500409@[192.168.4.154]> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Jun 2002, Jason DiCioccio wrote: > I don?t know if this has already made bugtraq, or if it's waiting in their > queue or what.. But I just happened to get ahold of this recently. It > appears that FreeBSD and OpenBSD are exploitable. ...skipped... "Exploit" from this letter tested on FreeBSD 4.6-RELEASE with different version apache: 1) 2.0.36 2) 2.0.39 3) 1.3.26 In case of 1) and (!) 2) httpd child died with "child out of swap space". So, in 2.0.39 still exists DoS. Solution with login.conf not worked , because apache not used setclass*() setusercontext() function. p.s. 2.0.39 configured as: ./configure \ "--with-layout=Apache" \ "--enable-threads" \ "--enable-shared=max" \ "--enable-module=all" \ "--with-mpm=worker" b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message