From owner-freebsd-security  Thu Jun 20 14:48:33 2002
Delivered-To: freebsd-security@freebsd.org
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id ED65B37B40E
	for <freebsd-security@FreeBSD.ORG>; Thu, 20 Jun 2002 14:48:24 -0700 (PDT)
Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114])
	by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g5KLmO127359;
	Thu, 20 Jun 2002 15:48:24 -0600 (MDT)
Received: by famine.cs.utah.edu (Postfix, from userid 2146)
	id C55B823AA2; Thu, 20 Jun 2002 15:48:23 -0600 (MDT)
Date: Thu, 20 Jun 2002 15:48:23 -0600
From: "David G . Andersen" <danderse@cs.utah.edu>
To: Jez Hancock <jez.hancock@munkboxen.mine.nu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Apache root exploitable?
Message-ID: <20020620154823.E14099@cs.utah.edu>
References: <MBBBIOEFHOPIGEHFPADDAEIHCAAA.ghebion@phreaker.net> <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu> <20020620201509.GC56227@madman.nectar.cc> <20020620215922.A32355@munkboxen.mine.nu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20020620215922.A32355@munkboxen.mine.nu>; from jez.hancock@munkboxen.mine.nu on Thu, Jun 20, 2002 at 09:59:22PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Jez Hancock just mooed:
> On Thu, Jun 20, 2002 at 03:15:09PM -0500, Jacques A. Vidrine wrote:
> > David is on the money.  We've yet to confirm that the bug can be
> > exploited for arbitrary code execution, but GOBBLES's post (and
> > se@FreeBSD.org's follow-up) do have us worried still.
> In my experience, it has been confirmed/checked to work on OpenBSD 3.0.
> 
> An associate tested the exploit code submitted by GOBBLES and as it says
> on the tin, it does lead to a buffer overflow in OpenBSD (certainly
> 3.0).

  That's enough confirmation for me, IMHO. :-)

> The exploit header bullsh^H^H^H^H^Hlurb below however is some cause for
> concern, stating that the exploit is indeed applicable to FreeBSD
> 4.3-4.5.  In my experience this is not the case running FreeBSD4.4
> Apache 1.3.20, but perhaps the author of the vulnerability would like to
> comment on this.  I am a mere mortal and do not claim to have ever
> understood the finer details of bof and such. :)

  You're misunderstanding the text in their message.  They claim that
the bug is exploit_able_ on OpenBSD, FreeBSD, Solaris, and Linux -- 
but they say that the exploit they've published is only for OpenBSD.   

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message