Vulnerability Development mailing list archives

Re: Rumours about Apache 1.3.22 exploits


From: H D Moore <hdm () digitaloffense net>
Date: Mon, 25 Feb 2002 07:32:15 -0600

On Saturday 23 February 2002 06:12 pm, Pedro Hugo wrote:
There are rumours about an exploit for apache 1.3.22 at least...
Don't have yet details on it...
Anyone else heard about it ?

Disclaimer:  I have no exploits, dont ask for any. If you really want 
details, do a source diff on php 4.0.6 and 4.1.x for rfc1687.c.

There is a bug in the php_split_mime function in PHP 3.x and 4.x. There is a 
working exploit floating around which provides a remote bindshell for PHP 
versions 4.0.1 to 4.0.6 with a handful of default offsets for different 
platforms. Since the PHP developers commited another change to the affected 
source file (rfc1687.c) about two days ago, speculation is that there is yet 
another remote exploit. There are tools floating around whch demonstrate 
numerous SEGV's in the PHP module, not only in the mime decoder...

Exploits have been floating around for at least 2 months, you would think 
someone would step up and shed some light on this to the general public by 
now.  The sad thing is that certain folks in the "security industry" have 
known about this for almost as long as there have been exploits, yet nothing 
was ever made public.


Current thread: