Re: Apache Exploit

From: Michal Zalewski (lcamtufat_private)
Date: Thu Jun 20 2002 - 19:49:49 PDT

  • Next message: Jefferson Ogata: "Re: Apache Exploit"

    On Thu, 20 Jun 2002, Jefferson Ogata wrote:
    
    > Seems to me SIGTERM is likely as well, though it may not happen until
    > someone reboots the webserver. SIGCHLD is also a possibility if an
    > external CGI is involved, no?
    
    Well... I don't think that SIGCHLD can arrive at the same time as the
    problematic memcpy() is being executed. I don't think that Apache does
    request processing while waiting for CGI script to finish - at least on
    unices, with multi-process model. SIGTERM or SIGKILL - true. That's a good
    point.  You can try over and over again, have e.g. 30 child processes
    spawned at the same time, it should be not that unlikely to have one of
    them hit exactly where you want it on next reboot / upgrade, even if you
    don't know the exact timing.
    
    -- 
    _____________________________________________________
    Michal Zalewski [lcamtufat_private] [security]
    [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    =-=> Did you know that clones never use mirrors? <=-=
              http://lcamtuf.coredump.cx/photo/
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 02:43:42 PDT