RE: bugtraq.c httpd apache ssl attack

From: Sandu Mihai (mihai.sanduat_private)
Date: Fri Sep 13 2002 - 12:41:41 PDT

Next message: Fernando Nunes: "Re: bugtraq.c httpd apache ssl attack"

Previous message: Brendan C. Johnson: "Cobalt 6.0 Local Root"
In reply to: adamkujat_private: "Re: bugtraq.c httpd apache ssl attack"
Next in thread: Sandu Mihai Eduard: "RE: bugtraq.c httpd apache ssl attack"
Next in thread: Fernando Nunes: "Re: bugtraq.c httpd apache ssl attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Usually, a common tactical move is to securely design the system from the
start. A /tmp placed on an independent partition, and mounted noexec, nosuid
along with chattr +a on logs, and  +i on important directories like /sbin,
/bin and the like it is a fair policy.
As for a quick fix, yes, this will keep away the worm, but not the hacker.
One can easily tear apart the worm and create a 'remote shell' trough Apache
kind of thing. It is advisable to keep the systems always in good shape (if
possible.. I have seen 'updates' that broke things trying to fix others,
merely the RedHat 7.0 updates have fallen sometime in this category..) and
keep always an open eye (if time/staff permits).

All my best,
Sandu Mihai - KPNQWest Romania Network Engineer

-----Original Message-----
From: adamkujat_private [mailto:adamkujat_private]
Sent: 13 septembrie 2002 21:51
To: bugtraqat_private
Subject: Re: bugtraq.c httpd apache ssl attack

Wouldn't it be easier to create a blank /tmp/.bugtraq.c file, chmod 000,
owned by root?

On Fri, 13 Sep 2002, The Little Prince wrote:

>
> too easy to chmod 700 gcc to lock it to root?
> obviously not as a TOTAL fix
>
> -Tony
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
> Anthony J. Biacco                            Network
Administrator/Engineer
> thelittleprince@asteroid-b612.org
http://www.asteroid-b612.org
>
>              "Every day should be a good day to die"   -DJM
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
>
> On 13 Sep 2002, Fernando Nunes wrote:
>
> >
> >
> > I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> > program "bugtraq.c" to explore an modSSL buffer overflow to get access
to
> > a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles
it
> > using gcc. The program is started with another computer ip address as
> > argument. All computer files that the user "apache" can read are
exposed.
> > The program attacks the following Linux distributions:
> >
> > Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
> > SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
> > Mandrake: 1.3.14,1.3.19
> > Slakware: Apache 1.3.26
> >
> > Regards
> > Fernando Nunes
> > Portugal
> >
> >
>
> --
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
> Anthony J. Biacco                            Network
Administrator/Engineer
> thelittleprince@asteroid-b612.org
http://www.asteroid-b612.org
>
>              "Every day should be a good day to die"   -DJM
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
>
>

Next message: Fernando Nunes: "Re: bugtraq.c httpd apache ssl attack"
Previous message: Brendan C. Johnson: "Cobalt 6.0 Local Root"
In reply to: adamkujat_private: "Re: bugtraq.c httpd apache ssl attack"
Next in thread: Sandu Mihai Eduard: "RE: bugtraq.c httpd apache ssl attack"
Next in thread: Fernando Nunes: "Re: bugtraq.c httpd apache ssl attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 12:54:44 PDT