CRIME Apache Exploit in the Wild

From: brvarin@private
Date: Fri Jun 28 2002 - 15:01:30 PDT

  • Next message: Kuo, Jimmy: "RE: CRIME Apache Exploit in the Wild"

    They're heeeeere.....The first packets from the Apache DOS vuln are out and
          it's been "wormed" which means it's now spreading. You need to patch
          Apache
    to 1.3.26 or 2.0.39.  If you can write a good Snort rule, below is what you
          need to plug in there. I just tested this signature out on my machine
          and it successfully
    detects the attack. Strangely, it also flagged the beginning of the packet
          as an "alibaba" attack. But beware, I modified the packet to not
          include all of the
    exploit code so the real one may not trip on Alibaba. For a good packet
          dump of the exploit and details on how it installs at :
    http://dammit.lt/apache-worm/
    
    SNORT SIG:
                                                                                
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80                            
        (msg:"WEB-MISC Transfer-Encoding\: chunked";                            
        flow:to_server,established;                                             
        content:"Transfer-Encoding\:"; nocase;                                  
        content:"chunked"; nocase;                                              
        classtype:web-application-attack;                                       
        reference:bugtraq,4474;                                                 
        reference:cve,CAN-2002-0079; reference:bugtraq,5033;                    
        reference:cve,CAN-2002-0392; sid:1807; rev:1;)                          
                                                                                
                                                                                
     Brian Varine, GCIA, CISSP                                                  
     Regence Blue Cross/Blue Shield                                             
     IT Security Compliance                                                     
     503-553-1425                                                               
                                                                                
                                                                                
                                                                                
    



    This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 16:13:08 PDT