Vulnerability Development mailing list archives

Re: Apache Exploit

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 20 Jun 2002 22:49:49 -0400 (EDT)

On Thu, 20 Jun 2002, Jefferson Ogata wrote:

Seems to me SIGTERM is likely as well, though it may not happen until
someone reboots the webserver. SIGCHLD is also a possibility if an
external CGI is involved, no?


Well... I don't think that SIGCHLD can arrive at the same time as the
problematic memcpy() is being executed. I don't think that Apache does
request processing while waiting for CGI script to finish - at least on
unices, with multi-process model. SIGTERM or SIGKILL - true. That's a good
point.  You can try over and over again, have e.g. 30 child processes
spawned at the same time, it should be not that unlikely to have one of
them hit exactly where you want it on next reboot / upgrade, even if you
don't know the exact timing.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

Current thread:

Re: Apache Exploit, (continued)
- - - Re: Apache Exploit David Bernick (Jun 21)
    - Re: Apache Exploit T0aD (Jun 22)
    - Re: Apache Exploit Alex Balayan (Jun 23)
    - Re: Apache Exploit Randy Taylor (Jun 24)
    - Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
  - Re: Apache Exploit Stefan Esser (Jun 20)
  - Re[2]: Apache Exploit dullien (Jun 20)
    - Re[2]: Apache Exploit Michal Zalewski (Jun 20)
    - Re: Apache Exploit Jefferson Ogata (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 21)
    - Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Ben Laurie (Jun 21)
  - Re: Apache Exploit Stefan Esser (Jun 21)
    - Re: Apache Exploit Ben Laurie (Jun 26)