Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

From: Anibal Ambertin (aambertinat_private)
Date: Wed Jun 19 2002 - 06:56:24 PDT

  • Next message: hellNbak: "Re: Apache Worm?"

    ----- Original Message -----
    From: "KF" <dotslashat_private>
    To: <vuln-devat_private>
    Sent: Tuesday, June 18, 2002 4:18 AM
    Subject: Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP
    Server
    
    
    > During some testing of the apache issues with chunked encoding I noted
    > that on my Linux x86 based install of apache just before the child
    > process exits
    > some of the arguments that are passed to int sigaction(int signum,
    > const  struct  sigaction  *act, struct sigaction *oldact);  and  int
    > sigemptyset(sigset_t *set); have had their arguments overwritten... in
    > the case of sigaction the signum was set to 10 or SIGUSR1 and all other
    > arguments were overwritten with  0x41414141  I was wondering if this
    > could cause any added risk to the x86 versions of apache... maybe some
    > signaling ninja would help?
    
        I don't think this could be usefull for an attacker, since the only
    thing
    you can do is to change  the sigaction parameters, which doesn't imply
    any risk at all (unless you can write the members of the sigaction structure
    and make it go to another internal function -which should be part of the
    vulnerable program, in this case, apache-).
    
    > The description of sigaction is really what caught my attention:
    > The sigaction system call is used  to  change  the  action  taken by a
    > process on receipt of a specific signal.
    
        Yes. And that's all. So, as I see it, it won't add any risk to this bug.
    If I'm wrong I'm sure someone will give you (what? give us!) the light
    you're looking for :). After all, I'm not a "signaling ninja" ;).
    
    Cheers.
    Anibal Ambertin
    (Angel Dezkarriado/StrCpy)
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 10:40:04 PDT