Re: Apache Exploit

From: Randy Taylor (rtaylorat_private)
Date: Fri Jun 21 2002 - 07:41:17 PDT

  • Next message: Przemyslaw Frasunek: "Re: procmail heap overflow"

    Note: Sent this to Michal and forgot to cc the list. Chalk it up to
    "too much to do and no time to get it done in" syndrome...
    <heavy sigh>   -- RT ---
    
    At 06:43 PM 6/20/2002 -0400, Michal wrote:
    >On Thu, 20 Jun 2002, Randy Taylor wrote:
    >
    > > Yep it works. Not only that, but preliminary indications are that those
    > > OS'es not specifically supported in the GOBBLES 'sploit can be DOS'ed by
    > > it. I've totally hosed RH Linux and FreeBSD boxen with it so far.
    >
    >How come? At worst, Apache child on Linux should segfault and be restarted
    >(which is a bit resource- and time-expensive operation, but no biggie).
    >Perhaps you just DoSed it on TCP level? Or some other symptoms? Just
    >curious.
    
    
    In one case (the RH box), it looked like a TCP lockup condition. The thing
    just stopped responding to outside stimuli, and right after that, inputs
    via the local keyboard stopped as well. I haven't had time to dig into it 
    further.
    My goal was to trace the attack and develop a Dragon signature. Everything
    else that happened was kind of incidental.
    
    I killed the FreeBSD box by running it out of disk space. As the attack runs,
    Apache logs error messages - I don't have my Ethereal trace in front of me
    at the moment, but I recall the web server complaining about a misplaced
    colon character or something. The DoS came from having only one partition
    on the victim, and filling that up. It took about 20 minutes to do it. I 
    think this
    "error log DoS" condition will work for any OS/web server combo if error 
    logging
    is turned on - you'll eventually saturate the partition even if the attack 
    can't
    crack a shell.
    
    The GOBBLES exploit isn't "smart" only in that it doesn't test/trust
    what the banners tell it - so it just keeps churning through offsets - it
    never seems to run out of them and it doesn't care whether or not the victim
    is susceptible - the victim either cracks a shell or dies before apache-scalp
    gives up - if it ever does. ;)
    
    Finally, the box I cracked was an OBSD 2.9 box w/Apache 1.3.20 - OBSD
    2.9 wasn't on the target list of apache-scalp, if I remember rightly. (My notes
    are on my Linux partition - I'm writing this from my Windows side - the 
    horror...
    the horror...). The UID you get when it cracks is the UID of the web server
    process.
    
    Hope this helps. I've still got work to do on apache-scalp, so standard
    disclaimers apply. ;)
    
    Randy
    
    
    >--
    >_____________________________________________________
    >Michal Zalewski [lcamtufat_private] [security]
    >[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    >=-=> Did you know that clones never use mirrors? <=-=
    >           http://lcamtuf.coredump.cx/photo/
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:53:15 PDT