Re: Apache Exploit

From: David Bernick (bernzat_private)
Date: Fri Jun 21 2002 - 20:57:41 PDT

Next message: Alonso Caballero: "login yahoogroups."

Previous message: Ben Laurie: "Re: Apache Exploit"
In reply to: Randy Taylor: "Re: Apache Exploit"
Next in thread: T0aD: "Re: Apache Exploit"
Next in thread: Ben Laurie: "Re: Apache Exploit"
Reply: T0aD: "Re: Apache Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> In one case (the RH box), it looked like a TCP lockup condition. The thing
> just stopped responding to outside stimuli, and right after that, inputs
> via the local keyboard stopped as well. I haven't had time to dig into it 
> further.

I've tested the Gobbles 'sploit against the following machines/platforms:
1. RH Linux 6.1 w Apache 1.2.x PIII 512MB
2. RH Linux 7.2 w Apache 1.3.24 PIII 512MB
3. RH Linux 7.2 w/Tux Webserver PII 128MB
4. RH Linux 7.2 w Apache 1.3.26 DualPIII 1GB
5. RH Liunx 6.1 w Apache 1.3.14 on an Alpha processor 512MB

After 1 full day of running the gobbles code in Brute Force mode, I've
found that the Tux server wouldn't even accept the Chunked encoding so
that seems to pose no threat. 
On server 1,2 and 5, I have yet to spawn a rootshell, but a single client
takes up considerable resources on the target machine. Not enough to DOS
any of the boxes effectively, though I imagine a distributed or multiple
client attack would have no problem doing this effectively. A single
client nearly used up all the RAM on most machines and forced it to start
using Swap space. I don't know if this is a garbage collection issue on
Linux, but just doing a Heavy Load test on this machines barely makes it
budge, so it probably has something to do with the exploit. On machine 4,
with the new Apache, the only concern is that there is still an error
thrown in the logs, and that could lead to disk filling attacks, but I
doubt that someone could fill it fast enough to disrupt any large disk. 

On the machines that are vulnerable, they register a segmentation fault
on the child processes. The following log is shown:

<snip>
[Fri Jun 21 21:05:51 2002] [notice] child pid 20720 exit signal
Segmentation fault (11)
[Fri Jun 21 21:05:51 2002] [notice] child pid 20719 exit signal
Segmentation fault (11)
[Fri Jun 21 21:05:51 2002] [notice] child pid 20718 exit signal
Segmentation fault (11)
<snip>
notice the times. And that's with a single client attacking. Scary. Easy
to coordinate this into a DDOS, I think. 

> at the moment, but I recall the web server complaining about a misplaced
> colon character or something. The DoS came from having only one partition

this is the message he's talking about:

<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Request header field is missing colon separator.<P>


-- 
David Bernick
bernzat_private

Rarely do people communicate; they just take turns talking.

Next message: Alonso Caballero: "login yahoogroups."
Previous message: Ben Laurie: "Re: Apache Exploit"
In reply to: Randy Taylor: "Re: Apache Exploit"
Next in thread: T0aD: "Re: Apache Exploit"
Next in thread: Ben Laurie: "Re: Apache Exploit"
Reply: T0aD: "Re: Apache Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 22:11:19 PDT