The last word on the Linux Slapper worm

[misha () cerber no (Mikhail Iakovlev)]

Paul, are you absolutely sure about it?
I have few systems that had 0.9.6b, and after playing with offsets for 
some time I managed to proof vulnerability. Of course it depends always on 
kernel versions/patches, and on modules which are included in apache 
server. Because of that addresses are changing.

Like for example if I knew value of hex from objdump -R 
/path/to/your/httpd |grep free I am pretty sure that I could succeed. 
However, there are some cases when I tried it on exactly the same versions 
of kernel and apache servers and it DIDN'T work. So, answer lies somewhere 
else, not in openssl itself.

I have made a different version of exploit than the one from worm sources, 
it works a bit faster. I am not going to publish it (yet), but I could 
test if some of you sure you are not vulnerable with version 0.9.6b.
At least all of my machines were, with different versions of kernels.

As I said, all attacker needs is an IP address, and hex value from line 
where it says just "free". Rest is up to skills and a bit of luck.

As for me - it was a pain to recompile apache on 18 servers, since all of 
them have custom needs/setups.

Modular apache with openssl are also vulnerable, I made a proof of concept 
few days ago for my students in lab.

Best wishes,
Mik-




On Wed, 25 Sep 2002, Schmehl, Paul L wrote:

> Interesting.  I patched openssl the day the patch was announced (using
> up2date.)  When the Slapper worm came out, I knew my system wasn't
> vulnerable, because I had already applied the patch on June 29th when it
> was released.  I'm not sure why there would have been confusion about
> whether or not your system might be vulnerable, since both the the
> vulnerability and the patch were publicly announced, but I suspect it
> had to do with the fact that (at least in the case of Red Hat) the
> *version* of openssl you're running is patched rather than updating to
> the latest version.
>
> On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's
> patched against this vulnerability.  All the advisories suggest updating
> to at least version 0.9.6e if not g, but they do not address the fact
> that your vendor may have patched previous versions.  I sent a post to
> bugtraq pointing that out, but it was never published.  Guess I'll just
> use this list from now on.
>
> Paul Schmehl (pauls () utdallas edu)
> Department Coordinator
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
>
> > -----Original Message-----
> > From: John.Airey () rnib org uk [mailto:John.Airey () rnib org uk] 
> > Sent: Monday, September 23, 2002 9:48 AM
> > To: full-disclosure () lists netsys com
> > Subject: [Full-disclosure] The last word on the Linux Slapper worm
> > Importance: High
> >
> >
> > There has been a lack of information about the potential for 
> > damage around the Linux Slapper worm, and posts to the 
> > bugtraq list ranging from the sublime to the ridiculous. I am 
> > hoping that this post will clear up any doubts people may 
> > have about the vulnerabilities of their systems. It appears 
> > that the Linux vendors and openssl had been working together 
> > to produce an update to the vulnerability that was exploited 
> > by this worm. However, none of the openssl maintainers other 
> > than Mark Cox of Red Hat knows anything about this from what 
> > I can gather.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html