I'm not really an expert in shell code and buffer overflows, but from what I've read, the most gruesome case is that someone could open a shell on a port on a 64-bit platform, running as the 'nobody' or 'httpd' user. If one exists, that person could then use a local privilege escalation vulnerability to then upgrade from 'nobody' to 'root' status. The good point is that, as far as I can tell, the buffer overflow or shell code must be very Apache build/OS version specific. This might mean that any worm would be very limited in target opportunities, and in most cases would only cause a child Apache process to die. Could someone with some exploit generation or assembly experience answer a few questions: 1. It would appear that any exploit code which wants to do anything other than kill a process would have to be very specialized, as each instance of shell code would have to almost be made for a specific binary. How would Apache configuration options, http_protocol.c changes, etc affect the ability of someone to make an exploit? It seems it would be very tied to the amount of memory the httpd binary takes when run and the size and locations of the targeted stack locations. Again, I'm not an expert, but I've read a bit. Please tell me if I've missed something. 2. This vulnerability, unlike most IIS vulnerabilities, happens in the phase of the request loop where the request is actually received. In most IIS vulnerabilities, the weakness is in the request handling phases or the phases in which a request is actually being parsed by application mappings, which happens after the authentication phase. Authentication, therefore, provides some level of protection from worms and outsider exploits. Since authentication isn't done when this weakness is exploited, it shouldn't affect this weakness. Am I right or wrong? 3. Why is it taking so long for the fix to appear? I don't need a patch. I've mucked with my http_protocol.c so much that I need some source code to build my own patches or make my changes by hand. Any corrections to my assumptions are welcome. Please don't flame, as I am really to busy to read through bile and venom. Thanks, Jon Horner, CISSP SAIC WebPool jh8at_private Office: (865) 425-5178 Pager: (865) 417-5012 > -----Original Message----- > From: Doesnt Matter [mailto:ackstormat_private] > Sent: Tuesday, June 18, 2002 7:10 PM > To: vuln-devat_private > Subject: Apache Worm? > > > what would be the likely hood a cracker could turn this into > a internet worm, and what would the possible destruction be? > I'm aware still over 50% of the webservers are running > apache, but the diffrent distros might cause somewhat of a > problem. would it not? > ~ack > -- > > Powered by Outblaze >
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 12:49:57 PDT