Full Disclosure mailing list archives
The last word on the Linux Slapper worm
From: misha () cerber no (Mikhail Iakovlev)
Date: Thu, 26 Sep 2002 11:03:37 +0200 (CEST)
There is not much significant differences in exploits, just the speed, so you can use the same exploit as in worm sources. BUT...you have to figure out yourself those offsets. It varies from system to system. Good luck! Mik- P.S.Pay attention to bit with .bugtraq.c - you need to prepare it before you test anything. You can see what you need in sources, and source of bugtraq you can find on packetstorm. On Wed, 25 Sep 2002, Schmehl, Paul L wrote:
Send me the exploit and I'll test it against the server. I've seen Slapper activity in the logs, but I haven't seen any compromise. As of this writing (I just checked), Red Hat only has opensssl 0.9.6b-28 available as an RPM on their update site (for Red Hat 7.2.) There are two recent patches for openssl on Red Hat: http://rhn.redhat.com/errata/RHSA-2002-155.html http://rhn.redhat.com/errata/RHSA-2002-160.html 2002-155 is the one that is supposed to have fixed the problem that Slapper exploits (a buffer overflow in the client key.) If it isn't fixed, Red Hat definitely needs to know that ASAP. Since Slapper was discovered in the wild (9/18) I have been seeing these types of entries in the logs: [Sat Sep 21 04:02:36 2002] [notice] Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 configured -- resuming normal operations [Sat Sep 21 05:21:51 2002] [error] mod_ssl: SSL handshake failed (server www.obfuscated.com:443, client 2xx.2x.1xx.1xx) (OpenSSL library error follows) But there's no evidence of any failures, no .bugtraq.c on the server, no port 2002 opened up for communications. No "complaints" from any of my defense systems. Nothing to indicate the the worm got in. Paul Schmehl (pauls () utdallas edu) Project Coordinator University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member-----Original Message----- From: Mikhail Iakovlev [mailto:misha () cerber no] Sent: Wednesday, September 25, 2002 7:04 PM To: Schmehl, Paul L Cc: John.Airey () rnib org uk; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] The last word on the Linux Slapper worm Paul, are you absolutely sure about it? I have few systems that had 0.9.6b, and after playing with offsets for some time I managed to proof vulnerability. Of course it depends always on kernel versions/patches, and on modules which are included in apache server. Because of that addresses are changing. Like for example if I knew value of hex from objdump -R /path/to/your/httpd |grep free I am pretty sure that I could succeed. However, there are some cases when I tried it on exactly the same versions of kernel and apache servers and it DIDN'T work. So, answer lies somewhere else, not in openssl itself.
Current thread:
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 23)
- <Possible follow-ups>
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 23)
- The last word on the Linux Slapper worm Ron DuFresne (Sep 23)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 25)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 25)
- The last word on the Linux Slapper worm Ben Laurie (Sep 26)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 25)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 26)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 26)
- The last word on the Linux Slapper worm vdongen (Sep 26)
- The last word on the Linux Slapper worm Ben Laurie (Sep 26)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm Mike Tone (Sep 26)