Vulnerability Development mailing list archives

Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

From: KF <dotslash () snosoft com>
Date: Wed, 19 Jun 2002 05:06:01 -0400

Just so that you guys can physcially see what I am talking about ...here are some snippets from 2 seperate boxes... they both handled itdifferently...This may help in determining how exploitable this may or may not be. Iwill be testing on a TRU64 and SunOS box tonight ... I will let you knowhow it goes.


[080706f7] select(4, 0xbffff5f0, 0, 0, 0xbffff678) = 1
[08070725] read(3, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 512) = 512
[080706f7] select(4, 0xbffff5f0, 0, 0, 0xbffff678) = 1
[08070725] read(3, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 512) = 403
[080706f7] select(4, 0xbffff5f0, 0, 0, 0xbffff678) = 1
[08070725] read(3, "", 512)                       = 0
[080634a6] close(3)                               = 0
[080634b3] __errno_location()                     = 0x401adb80
[080634dc] __errno_location()                     = 0x401adb80
[08086734] sigemptyset(0xbffff7f4, 0x41414141, 0x41414141, 0x41414141,0x41414141) = 0
[08086760] sigaction(10, 0xbffff7f0, 0xbffff760, 0x41414141, 0x41414141) = 0

and this guy use x's instead of A's

>close(5)                                          = 0
>__errno_location()                                = 0x401fee60
>sigemptyset(0xbffff934, 0x78787878, 0x78787878, 0x78787878, 0x0808c9ac) = 0
>sigaction(10, 0xbffff930, 0xbffff8a4, 0x08069bcc, 0xbffff934) = 0
>waitpid(7651, 0, 1, 0, 0x0808c984)                = 7651
>accept(18, 0xbffff9ec, 0xbffff9e8, 0x0805c67b, 0 <unfinished ...>
>
>so sigaction is not touched (yet).

-KF

Current thread:

RE: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server Michael Wojcik (Jun 19)
- Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server KF (Jun 19)