Vulnerability Development mailing list archives
Re: Apache Exploit
From: Randy Taylor <rtaylor () enterasys com>
Date: Fri, 21 Jun 2002 10:41:17 -0400
Note: Sent this to Michal and forgot to cc the list. Chalk it up to "too much to do and no time to get it done in" syndrome... <heavy sigh> -- RT --- At 06:43 PM 6/20/2002 -0400, Michal wrote:
On Thu, 20 Jun 2002, Randy Taylor wrote: > Yep it works. Not only that, but preliminary indications are that those > OS'es not specifically supported in the GOBBLES 'sploit can be DOS'ed by > it. I've totally hosed RH Linux and FreeBSD boxen with it so far. How come? At worst, Apache child on Linux should segfault and be restarted (which is a bit resource- and time-expensive operation, but no biggie). Perhaps you just DoSed it on TCP level? Or some other symptoms? Just curious.
In one case (the RH box), it looked like a TCP lockup condition. The thing just stopped responding to outside stimuli, and right after that, inputsvia the local keyboard stopped as well. I haven't had time to dig into it further.
My goal was to trace the attack and develop a Dragon signature. Everything else that happened was kind of incidental. I killed the FreeBSD box by running it out of disk space. As the attack runs, Apache logs error messages - I don't have my Ethereal trace in front of me at the moment, but I recall the web server complaining about a misplaced colon character or something. The DoS came from having only one partitionon the victim, and filling that up. It took about 20 minutes to do it. I think this "error log DoS" condition will work for any OS/web server combo if error logging is turned on - you'll eventually saturate the partition even if the attack can't
crack a shell. The GOBBLES exploit isn't "smart" only in that it doesn't test/trust what the banners tell it - so it just keeps churning through offsets - it never seems to run out of them and it doesn't care whether or not the victim is susceptible - the victim either cracks a shell or dies before apache-scalp gives up - if it ever does. ;) Finally, the box I cracked was an OBSD 2.9 box w/Apache 1.3.20 - OBSD 2.9 wasn't on the target list of apache-scalp, if I remember rightly. (My notesare on my Linux partition - I'm writing this from my Windows side - the horror...
the horror...). The UID you get when it cracks is the UID of the web server process. Hope this helps. I've still got work to do on apache-scalp, so standard disclaimers apply. ;) Randy
-- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- Apache Exploit Stefan Esser (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 20)
- Message not available
- Re: Apache Exploit Randy Taylor (Jun 21)
- Re: Apache Exploit David Bernick (Jun 21)
- Re: Apache Exploit T0aD (Jun 22)
- Re: Apache Exploit Alex Balayan (Jun 23)
- Re: Apache Exploit Randy Taylor (Jun 24)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 20)
- Re[2]: Apache Exploit dullien (Jun 20)
- Re[2]: Apache Exploit Michal Zalewski (Jun 20)
- Re: Apache Exploit Jefferson Ogata (Jun 20)