Date: Thu, 20 Jun 2002 21:59:22 +0100 From: Jez Hancock <jez.hancock@munkboxen.mine.nu> To: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620215922.A32355@munkboxen.mine.nu> In-Reply-To: <20020620201509.GC56227@madman.nectar.cc>; from nectar@FreeBSD.ORG on Thu, Jun 20, 2002 at 03:15:09PM -0500 References: <MBBBIOEFHOPIGEHFPADDAEIHCAAA.ghebion@phreaker.net> <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu> <20020620201509.GC56227@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 20, 2002 at 03:15:09PM -0500, Jacques A. Vidrine wrote: > David is on the money. We've yet to confirm that the bug can be > exploited for arbitrary code execution, but GOBBLES's post (and > se@FreeBSD.org's follow-up) do have us worried still. In my experience, it has been confirmed/checked to work on OpenBSD 3.0. An associate tested the exploit code submitted by GOBBLES and as it says on the tin, it does lead to a buffer overflow in OpenBSD (certainly 3.0). The exploit header bullsh^H^H^H^H^Hlurb below however is some cause for concern, stating that the exploit is indeed applicable to FreeBSD 4.3-4.5. In my experience this is not the case running FreeBSD4.4 Apache 1.3.20, but perhaps the author of the vulnerability would like to comment on this. I am a mere mortal and do not claim to have ever understood the finer details of bof and such. :) <quote-apache-scalp.c> * apache-scalp.c * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! * <snip-bs> * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to <snip-more-bs> * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * < <snip-more-bs-thank-you-we-won't-ask-you-for-warez-kiddie> * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel * bugs are great. * * [#!GOBBLES QUOTES] <yes snip the bs> </quote-apache-scalp.c> In any event, what Jaques most eminently points out: > Assume that it can be exploited, and upgrade as soon as you can. > > After all, even if it is `only' a DoS, it will probably get hit a > lot once someone writes a Code Red-like worm for the Win32 version. > History tells us that such worms don't bother to check the operating > system or version that is running before attacking, and I would expect > apache < 1.3.26 servers to experience a lot of downtime as a result. > :-) Best Regards, Jez -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020620215922.A32355>