VS: Apache vulnerability checking

From: Toni Heinonen (Toni.Heinonenat_private)
Date: Wed Jun 26 2002 - 12:42:48 PDT

  • Next message: Mark Lastdrager: "Remote buffer overflow in resolver code of libc"

    > TH> patch. For instance, eEye's tool reports my patched RH7.2 
    > server as 
    > TH> "vulnerable", because it only checks the server string, 
    > it doesn't 
    > TH> try to exploit the vulnerability.
    > 
    > That's interesting.. If you sniff the tool, you'll see it 
    > does a HEAD, and then posts to x.html  with a chunk 
    > encoding..  It seems to be doing more than just reading the 
    > version on the banner. (This is as of 2 hours ago, maybe they 
    > updated their tool).
    > 
    > It appears to actually exploit it for the testing. I didn't 
    > trace the tool it self, only from what the packet capture says.
    
    The original version only checked the server version, whereas an updated
    version now available does the HEAD and really tests for the hole. I saw
    this post on the Infosec news mailing list:
    
    "Forwarded from: Marc Maiffret <marcat_private>
    Cc: Jonas M Luster <jlusterat_private>
    
    thanks for your email.
    
    the first version was released quickly so people could have something to
    start with. the current version of the tool does perform an attack to
    determine if its vulnerable. were always improving over time but things
    start somewhere.
    
    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security"
    
    The new version (1.0.2) of the tool now reports even older, patched
    Apaches correctly as "not vulnerable", including my server.
    
    -- 
    Toni Heinonen, Teleware Oy
      Wireless +358 (40) 836 1815
      Telephone +358 (9) 3434 9123
      toni.heinonenat_private
      www.teleware.fi
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 15:40:13 PDT