Note: Sent this to Michal and forgot to cc the list. Chalk it up to "too much to do and no time to get it done in" syndrome... <heavy sigh> -- RT --- At 06:43 PM 6/20/2002 -0400, Michal wrote: >On Thu, 20 Jun 2002, Randy Taylor wrote: > > > Yep it works. Not only that, but preliminary indications are that those > > OS'es not specifically supported in the GOBBLES 'sploit can be DOS'ed by > > it. I've totally hosed RH Linux and FreeBSD boxen with it so far. > >How come? At worst, Apache child on Linux should segfault and be restarted >(which is a bit resource- and time-expensive operation, but no biggie). >Perhaps you just DoSed it on TCP level? Or some other symptoms? Just >curious. In one case (the RH box), it looked like a TCP lockup condition. The thing just stopped responding to outside stimuli, and right after that, inputs via the local keyboard stopped as well. I haven't had time to dig into it further. My goal was to trace the attack and develop a Dragon signature. Everything else that happened was kind of incidental. I killed the FreeBSD box by running it out of disk space. As the attack runs, Apache logs error messages - I don't have my Ethereal trace in front of me at the moment, but I recall the web server complaining about a misplaced colon character or something. The DoS came from having only one partition on the victim, and filling that up. It took about 20 minutes to do it. I think this "error log DoS" condition will work for any OS/web server combo if error logging is turned on - you'll eventually saturate the partition even if the attack can't crack a shell. The GOBBLES exploit isn't "smart" only in that it doesn't test/trust what the banners tell it - so it just keeps churning through offsets - it never seems to run out of them and it doesn't care whether or not the victim is susceptible - the victim either cracks a shell or dies before apache-scalp gives up - if it ever does. ;) Finally, the box I cracked was an OBSD 2.9 box w/Apache 1.3.20 - OBSD 2.9 wasn't on the target list of apache-scalp, if I remember rightly. (My notes are on my Linux partition - I'm writing this from my Windows side - the horror... the horror...). The UID you get when it cracks is the UID of the web server process. Hope this helps. I've still got work to do on apache-scalp, so standard disclaimers apply. ;) Randy >-- >_____________________________________________________ >Michal Zalewski [lcamtufat_private] [security] >[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: >=-=> Did you know that clones never use mirrors? <=-= > http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:53:15 PDT