The last word on the Linux Slapper worm

[misha () cerber no (Mikhail Iakovlev)]

There is not much significant differences in exploits, just the speed, so 
you can use the same exploit as in worm sources. BUT...you have to figure 
out yourself those offsets. It varies from system to system.

Good luck!

Mik-
P.S.Pay attention to bit with .bugtraq.c - you need to prepare it before 
you test anything. You can see what you need in sources, and source of 
bugtraq you can find on packetstorm.

On Wed, 25 Sep 2002, Schmehl, Paul L wrote:

> Send me the exploit and I'll test it against the server.  I've seen Slapper activity in the logs, but I haven't seen 
> any compromise.  As of this writing (I just checked), Red Hat only has opensssl 0.9.6b-28 available as an RPM on 
> their update site (for Red Hat 7.2.)
>
> There are two recent patches for openssl on Red Hat:
> http://rhn.redhat.com/errata/RHSA-2002-155.html
> http://rhn.redhat.com/errata/RHSA-2002-160.html
>
> 2002-155 is the one that is supposed to have fixed the problem that Slapper exploits (a buffer overflow in the client 
> key.)  If it isn't fixed, Red Hat definitely needs to know that ASAP.
>
> Since Slapper was discovered in the wild (9/18) I have been seeing these types of entries in the logs:
> [Sat Sep 21 04:02:36 2002] [notice] Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 
> PHP/4.1.2 mod_perl/1.26 configured -- resuming normal operations
> [Sat Sep 21 05:21:51 2002] [error] mod_ssl: SSL handshake failed (server www.obfuscated.com:443, client 
> 2xx.2x.1xx.1xx) (OpenSSL library error follows)
>
> But there's no evidence of any failures, no .bugtraq.c on the server, no port 2002 opened up for communications.  No 
> "complaints" from any of my defense systems.  Nothing to indicate the the worm got in.
>
> Paul Schmehl (pauls () utdallas edu)
> Project Coordinator
> University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member 
>
> > -----Original Message-----
> > From: Mikhail Iakovlev [mailto:misha () cerber no] 
> > Sent: Wednesday, September 25, 2002 7:04 PM
> > To: Schmehl, Paul L
> > Cc: John.Airey () rnib org uk; full-disclosure () lists netsys com
> > Subject: RE: [Full-disclosure] The last word on the Linux Slapper worm
> >
> >
> >
> > Paul, are you absolutely sure about it?
> > I have few systems that had 0.9.6b, and after playing with 
> > offsets for 
> > some time I managed to proof vulnerability. Of course it 
> > depends always on 
> > kernel versions/patches, and on modules which are included in apache 
> > server. Because of that addresses are changing.
> >
> > Like for example if I knew value of hex from objdump -R 
> > /path/to/your/httpd |grep free I am pretty sure that I could succeed. 
> > However, there are some cases when I tried it on exactly the 
> > same versions 
> > of kernel and apache servers and it DIDN'T work. So, answer 
> > lies somewhere 
> > else, not in openssl itself.