From owner-freebsd-security Thu Jun 20 14: 1:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from munkboxen.mine.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by hub.freebsd.org (Postfix) with ESMTP id B3F6C37B412 for ; Thu, 20 Jun 2002 14:00:36 -0700 (PDT) Received: (from munk@localhost) by munkboxen.mine.nu (8.11.6/8.11.6) id g5KKxMO38657 for freebsd-security@FreeBSD.ORG; Thu, 20 Jun 2002 21:59:22 +0100 (BST) (envelope-from munk) Date: Thu, 20 Jun 2002 21:59:22 +0100 From: Jez Hancock To: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620215922.A32355@munkboxen.mine.nu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu> <20020620201509.GC56227@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020620201509.GC56227@madman.nectar.cc>; from nectar@FreeBSD.ORG on Thu, Jun 20, 2002 at 03:15:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 20, 2002 at 03:15:09PM -0500, Jacques A. Vidrine wrote: > David is on the money. We've yet to confirm that the bug can be > exploited for arbitrary code execution, but GOBBLES's post (and > se@FreeBSD.org's follow-up) do have us worried still. In my experience, it has been confirmed/checked to work on OpenBSD 3.0. An associate tested the exploit code submitted by GOBBLES and as it says on the tin, it does lead to a buffer overflow in OpenBSD (certainly 3.0). The exploit header bullsh^H^H^H^H^Hlurb below however is some cause for concern, stating that the exploit is indeed applicable to FreeBSD 4.3-4.5. In my experience this is not the case running FreeBSD4.4 Apache 1.3.20, but perhaps the author of the vulnerability would like to comment on this. I am a mere mortal and do not claim to have ever understood the finer details of bof and such. :) * apache-scalp.c * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! * * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * < * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel * bugs are great. * * [#!GOBBLES QUOTES] In any event, what Jaques most eminently points out: > Assume that it can be exploited, and upgrade as soon as you can. > > After all, even if it is `only' a DoS, it will probably get hit a > lot once someone writes a Code Red-like worm for the Win32 version. > History tells us that such worms don't bother to check the operating > system or version that is running before attacking, and I would expect > apache < 1.3.26 servers to experience a lot of downtime as a result. > :-) Best Regards, Jez -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message