Re: Rumours about Apache 1.3.22 exploits

From: Charles 'core' Stevenson (coreat_private)
Date: Mon Mar 04 2002 - 23:29:45 PST

Next message: Jon Zobrist: "Re: SSH2 Exploit?"

Previous message: frog frog: "PHP-Nuke 5.5 , Phortail 1.2.1 , Avotravis 2.1"
In reply to: VeNoMouS: "Re: Rumours about Apache 1.3.22 exploits"
Next in thread: nilton.gs.scat_private: "Re: Rumours about Apache 1.3.22 exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

VeNoMouS wrote:
> 
> Actally I was pasted on a so called exploit this afternoon which claims to
> exploit via post but was only pasted on a binary,
> how ever please watch out for this I beleave its a working exploit but it
> also seems to open up a udp port on 3049 and some how seems to cloning the
> last proc , when stracing the 3049 all it seems to do is sit there and
> recv(...) and does nothing when you type anything.
> 
> binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.
> 
> Has any one seen this about before?? Is this a trojan , if not then why does
> it open udp 3049 even after a reboot.
> i trace the proc opening that port kill it and it seems to clone some how my
> last proc and then 2mins l8r opens the port again.
> 
> Any ideas?

This exploit is a trojan.

Best Regards,
Charles Stevenson

> ----- Original Message -----
> From: "Olaf Kirch" <okirat_private>
> To: "H D Moore" <hdmat_private>
> Cc: <fractalgat_private>; <vuln-devat_private>
> Sent: Wednesday, February 27, 2002 3:07 AM
> Subject: Re: Rumours about Apache 1.3.22 exploits
> 
> > > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There
> is a
> > > working exploit floating around which provides a remote bindshell for
> PHP
> > > versions 4.0.1 to 4.0.6 with a handful of default offsets for different
> > > platforms.
> >
> > Blechch. This code is really icky. There's really an sprintf down there
> > in the code that looks bad (apart from a few other things that look bad).
> > But if I don't misread the patch, the sprintf is still there in 4.1.1.
> >
> > > Since the PHP developers commited another change to the affected
> > > source file (rfc1687.c) about two days ago, speculation is that there is
> yet
> > > another remote exploit.
> >
> > Not in the public CVS (has been removed?)
> >
> > Olaf
> > --
> > Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
> > okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
> > okirat_private    +-------------------- Why Not?! -----------------------
> >          UNIX, n.: Spanish manufacturer of fire extinguishers.
> >

Next message: Jon Zobrist: "Re: SSH2 Exploit?"
Previous message: frog frog: "PHP-Nuke 5.5 , Phortail 1.2.1 , Avotravis 2.1"
In reply to: VeNoMouS: "Re: Rumours about Apache 1.3.22 exploits"
Next in thread: nilton.gs.scat_private: "Re: Rumours about Apache 1.3.22 exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 12:08:46 PST