Vulnerability Development mailing list archives

Re: Rumours about Apache 1.3.22 exploits

From: H D Moore <sflist () digitaloffense net>
Date: Tue, 26 Feb 2002 21:44:58 -0600

To clarify:

AFAIK the exploit takes advantage of a buggy memchr() call in versions 4.0.6 
and below. This vulnerability is exploitable remotely, no "upload" or local 
access is needed. I heard that the patch put into CVS a few days ago was just 
for RFC compliance...



On Tuesday 26 February 2002 08:07 am, Olaf Kirch wrote:

There is a bug in the php_split_mime function in PHP 3.x and 4.x. There
is a working exploit floating around which provides a remote bindshell
for PHP versions 4.0.1 to 4.0.6 with a handful of default offsets for
different platforms.


Blechch. This code is really icky. There's really an sprintf down there
in the code that looks bad (apart from a few other things that look bad).
But if I don't misread the patch, the sprintf is still there in 4.1.1.

Since the PHP developers commited another change to the affected
source file (rfc1687.c) about two days ago, speculation is that there is
yet another remote exploit.


Not in the public CVS (has been removed?)

Olaf

Current thread:

Re: Rumours about Apache 1.3.22 exploits, (continued)
- Re: Rumours about Apache 1.3.22 exploits nilton . gs . sc (Feb 25)
  - RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
    - RE: Rumours about Apache 1.3.22 exploits Nico Wieland (Feb 26)
- Re: Rumours about Apache 1.3.22 exploits H D Moore (Feb 25)
  - php update (was Re: Rumours about Apache 1.3.22 exploits) Christopher McCrory (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits Brandon (Feb 25)
- RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
- Re: Rumours about Apache 1.3.22 exploits Mike Tone (Feb 26)
- RE: Rumours about Apache 1.3.22 exploits Spare Cycles (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits Olaf Kirch (Feb 27)
  - Re: Rumours about Apache 1.3.22 exploits H D Moore (Feb 27)