Full Disclosure mailing list archives
The last word on the Linux Slapper worm
From: misha () cerber no (Mikhail Iakovlev)
Date: Thu, 26 Sep 2002 02:04:14 +0200 (CEST)
Paul, are you absolutely sure about it? I have few systems that had 0.9.6b, and after playing with offsets for some time I managed to proof vulnerability. Of course it depends always on kernel versions/patches, and on modules which are included in apache server. Because of that addresses are changing. Like for example if I knew value of hex from objdump -R /path/to/your/httpd |grep free I am pretty sure that I could succeed. However, there are some cases when I tried it on exactly the same versions of kernel and apache servers and it DIDN'T work. So, answer lies somewhere else, not in openssl itself. I have made a different version of exploit than the one from worm sources, it works a bit faster. I am not going to publish it (yet), but I could test if some of you sure you are not vulnerable with version 0.9.6b. At least all of my machines were, with different versions of kernels. As I said, all attacker needs is an IP address, and hex value from line where it says just "free". Rest is up to skills and a bit of luck. As for me - it was a pain to recompile apache on 18 servers, since all of them have custom needs/setups. Modular apache with openssl are also vulnerable, I made a proof of concept few days ago for my students in lab. Best wishes, Mik- On Wed, 25 Sep 2002, Schmehl, Paul L wrote:
Interesting. I patched openssl the day the patch was announced (using up2date.) When the Slapper worm came out, I knew my system wasn't vulnerable, because I had already applied the patch on June 29th when it was released. I'm not sure why there would have been confusion about whether or not your system might be vulnerable, since both the the vulnerability and the patch were publicly announced, but I suspect it had to do with the fact that (at least in the case of Red Hat) the *version* of openssl you're running is patched rather than updating to the latest version. On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's patched against this vulnerability. All the advisories suggest updating to at least version 0.9.6e if not g, but they do not address the fact that your vendor may have patched previous versions. I sent a post to bugtraq pointing that out, but it was never published. Guess I'll just use this list from now on. Paul Schmehl (pauls () utdallas edu) Department Coordinator The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/-----Original Message----- From: John.Airey () rnib org uk [mailto:John.Airey () rnib org uk] Sent: Monday, September 23, 2002 9:48 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] The last word on the Linux Slapper worm Importance: High There has been a lack of information about the potential for damage around the Linux Slapper worm, and posts to the bugtraq list ranging from the sublime to the ridiculous. I am hoping that this post will clear up any doubts people may have about the vulnerabilities of their systems. It appears that the Linux vendors and openssl had been working together to produce an update to the vulnerability that was exploited by this worm. However, none of the openssl maintainers other than Mark Cox of Red Hat knows anything about this from what I can gather._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 23)
- <Possible follow-ups>
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 23)
- The last word on the Linux Slapper worm Ron DuFresne (Sep 23)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 25)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 25)
- The last word on the Linux Slapper worm Ben Laurie (Sep 26)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 25)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 26)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 26)
- The last word on the Linux Slapper worm vdongen (Sep 26)
- The last word on the Linux Slapper worm Ben Laurie (Sep 26)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
(Thread continues...)