RE: CRIME Apache Exploit in the Wild

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Fri Jun 28 2002 - 18:11:40 PDT

  • Next message: George Heuston: "July 9th CRIME Meeting@Verizon, 10-Noon"

    Has anyone actually seen this on their own system?
    
    It's starting to look fishy.
    
    Jimmy
    
    -----Original Message-----
    From: brvarin@private [mailto:brvarin@private]
    Sent: Friday, June 28, 2002 3:02 PM
    To: crime@private
    Subject: CRIME Apache Exploit in the Wild
    
    
    
    They're heeeeere.....The first packets from the Apache DOS vuln are out and
          it's been "wormed" which means it's now spreading. You need to patch
          Apache
    to 1.3.26 or 2.0.39.  If you can write a good Snort rule, below is what you
          need to plug in there. I just tested this signature out on my machine
          and it successfully
    detects the attack. Strangely, it also flagged the beginning of the packet
          as an "alibaba" attack. But beware, I modified the packet to not
          include all of the
    exploit code so the real one may not trip on Alibaba. For a good packet
          dump of the exploit and details on how it installs at :
    http://dammit.lt/apache-worm/
    
    SNORT SIG:
                                                                                
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80                            
        (msg:"WEB-MISC Transfer-Encoding\: chunked";                            
        flow:to_server,established;                                             
        content:"Transfer-Encoding\:"; nocase;                                  
        content:"chunked"; nocase;                                              
        classtype:web-application-attack;                                       
        reference:bugtraq,4474;                                                 
        reference:cve,CAN-2002-0079; reference:bugtraq,5033;                    
        reference:cve,CAN-2002-0392; sid:1807; rev:1;)                          
                                                                                
                                                                                
     Brian Varine, GCIA, CISSP                                                  
     Regence Blue Cross/Blue Shield                                             
     IT Security Compliance                                                     
     503-553-1425                                                               
                                                                                
                                                                                
                                                                                
    



    This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 19:22:34 PDT