Vulnerability Development mailing list archives

Re: Apache Exploit

From: Randy Taylor <rtaylor () enterasys com>
Date: Fri, 21 Jun 2002 10:41:17 -0400


Note: Sent this to Michal and forgot to cc the list. Chalk it up to
"too much to do and no time to get it done in" syndrome...
<heavy sigh>   -- RT ---

At 06:43 PM 6/20/2002 -0400, Michal wrote:

On Thu, 20 Jun 2002, Randy Taylor wrote:

> Yep it works. Not only that, but preliminary indications are that those
> OS'es not specifically supported in the GOBBLES 'sploit can be DOS'ed by
> it. I've totally hosed RH Linux and FreeBSD boxen with it so far.

How come? At worst, Apache child on Linux should segfault and be restarted
(which is a bit resource- and time-expensive operation, but no biggie).
Perhaps you just DoSed it on TCP level? Or some other symptoms? Just
curious.



In one case (the RH box), it looked like a TCP lockup condition. The thing
just stopped responding to outside stimuli, and right after that, inputs

via the local keyboard stopped as well. I haven't had time to dig into itfurther.

My goal was to trace the attack and develop a Dragon signature. Everything
else that happened was kind of incidental.

I killed the FreeBSD box by running it out of disk space. As the attack runs,
Apache logs error messages - I don't have my Ethereal trace in front of me
at the moment, but I recall the web server complaining about a misplaced
colon character or something. The DoS came from having only one partition

on the victim, and filling that up. It took about 20 minutes to do it. Ithink this"error log DoS" condition will work for any OS/web server combo if errorloggingis turned on - you'll eventually saturate the partition even if the attackcan't

crack a shell.

The GOBBLES exploit isn't "smart" only in that it doesn't test/trust
what the banners tell it - so it just keeps churning through offsets - it
never seems to run out of them and it doesn't care whether or not the victim
is susceptible - the victim either cracks a shell or dies before apache-scalp
gives up - if it ever does. ;)

Finally, the box I cracked was an OBSD 2.9 box w/Apache 1.3.20 - OBSD
2.9 wasn't on the target list of apache-scalp, if I remember rightly. (My notes

are on my Linux partition - I'm writing this from my Windows side - thehorror...

the horror...). The UID you get when it cracks is the UID of the web server
process.

Hope this helps. I've still got work to do on apache-scalp, so standard
disclaimers apply. ;)

Randy

--
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

Current thread:

Apache Exploit Stefan Esser (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)
  - Re: Apache Exploit Randy Taylor (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 20)
    - Message not available
    - Re: Apache Exploit Randy Taylor (Jun 21)
    - Re: Apache Exploit David Bernick (Jun 21)
    - Re: Apache Exploit T0aD (Jun 22)
    - Re: Apache Exploit Alex Balayan (Jun 23)
    - Re: Apache Exploit Randy Taylor (Jun 24)
    - Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
  - Re: Apache Exploit Stefan Esser (Jun 20)
  - Re[2]: Apache Exploit dullien (Jun 20)
    - Re[2]: Apache Exploit Michal Zalewski (Jun 20)
    - Re: Apache Exploit Jefferson Ogata (Jun 20)

(Thread continues...)