RE: Apache Worm?

From: Horner, Jonathan J. (JH8) (jh8at_private)
Date: Wed Jun 19 2002 - 06:01:16 PDT

  • Next message: Oliver Petruzel: "RE: Vulnerability Coordination"

    I'm not really an expert in shell code and buffer overflows, but from what
    I've read, the most gruesome case is that someone could open a shell on a
    port on a 64-bit platform, running as the 'nobody' or 'httpd' user.  If one
    exists, that person could then use a local privilege escalation
    vulnerability to then upgrade from 'nobody' to 'root' status.
    
    The good point is that, as far as I can tell, the buffer overflow or shell
    code must be very Apache build/OS version specific.  This might mean that
    any worm would be very limited in target opportunities, and in most cases
    would only cause a child Apache process to die.  
    
    Could someone with some exploit generation or assembly experience answer a
    few questions:
    
    1.  It would appear that any exploit code which wants to do anything other
    than kill a process would have to be very specialized, as each instance of
    shell code would have to almost be made for a specific binary.  How would
    Apache configuration options, http_protocol.c changes, etc affect the
    ability of someone to make an exploit?  It seems it would be very tied to
    the amount of memory the httpd binary takes when run and the size and
    locations of the targeted stack locations.  Again, I'm not an expert, but
    I've read a bit.  Please tell me if I've missed something.
    
    2.  This vulnerability, unlike most IIS vulnerabilities, happens in the
    phase of the request loop where the request is actually received.  In most
    IIS vulnerabilities, the weakness is in the request handling phases or the
    phases in which a request is actually being parsed by application mappings,
    which happens after the authentication phase.  Authentication, therefore,
    provides some level of protection from worms and outsider exploits.  Since
    authentication isn't done when this weakness is exploited, it shouldn't
    affect this weakness.  Am I right or wrong?
    
    3.  Why is it taking so long for the fix to appear?  I don't need a patch.
    I've mucked with my http_protocol.c so much that I need some source code to
    build my own patches or make my changes by hand.
    
    Any corrections to my assumptions are welcome.  Please don't flame, as I am
    really to busy to read through bile and venom.
    
    Thanks,
    
    Jon Horner, CISSP
    SAIC WebPool
    jh8at_private
    Office:  (865) 425-5178
    Pager:  (865) 417-5012
    
    
    > -----Original Message-----
    > From: Doesnt Matter [mailto:ackstormat_private]
    > Sent: Tuesday, June 18, 2002 7:10 PM
    > To: vuln-devat_private
    > Subject: Apache Worm?
    > 
    > 
    > what would be the likely hood a cracker could turn this into 
    > a internet worm, and what would the possible destruction be?  
    > I'm aware still over 50% of the webservers are running 
    > apache, but the diffrent distros might cause somewhat of a 
    > problem. would it not?
    > ~ack
    > -- 
    > 
    > Powered by Outblaze
    > 
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 12:49:57 PDT