Vulnerability Development mailing list archives

Re: Rumours about Apache 1.3.22 exploits

From: KF <dotslash () snosoft com>
Date: Tue, 05 Mar 2002 09:20:44 -0500

Well since the binary has already been leaked.... heres what I knowabout the exploit by lorian. This exploit is definately beating up onapache... It segfaults the heck out of it during testing... I don't knowabout the backdoor it makes however ... it didn't seem to work for me...I am not sure about it being a trojan either... a simple strings of thebinary revealed nothing alarming. Don't waste your time asking me for iteither (anyone) because I won't give it to you. I tested this on theMandrake 8.0 version...


Mandrake 8.0 / apache-1.3.19-3mdk from RPM / PHP/4.X
RedHat 7.1 / apache-1.3.19-5 from RPM / PHP/4.X
Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.5 (stack)
CRASH ME
Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (apache GOT kill)
Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (stack)
Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (GOT _estrndup)
Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3 (GOT _estrndup)
usage: %s [options] <hostname> <phpfile>
Options:
 -c            check exploitability only, do not exploit
 -f            force mode, override check results
 -n            no check mode
 -l retloc     set retlocation
 -a retaddr    set return address
 -t target     choose target
              (%d) %s
73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 remote exploit
by lorian.

...

$ cat /etc/httpd/logs/error_log
[Wed Feb 27 11:54:22 2002] [notice] child pid 2388 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:22 2002] [notice] child pid 2386 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:22 2002] [notice] child pid 2385 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:31 2002] [notice] child pid 2418 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:31 2002] [notice] child pid 2417 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:31 2002] [notice] child pid 2416 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:32 2002] [notice] child pid 2421 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:33 2002] [notice] child pid 2423 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:33 2002] [notice] child pid 2422 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:34 2002] [notice] child pid 2432 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:34 2002] [notice] child pid 2431 exit signal
Segmentation fault (11)
[Wed Feb 27 11:54:34 2002] [notice] child pid 2430 exit signal
Segmentation fault (11)

...
-KF
VeNoMouS wrote:

Actally I was pasted on a so called exploit this afternoon which claims to
exploit via post but was only pasted on a binary,
how ever please watch out for this I beleave its a working exploit but it
also seems to open up a udp port on 3049 and some how seems to cloning the
last proc , when stracing the 3049 all it seems to do is sit there and
recv(...) and does nothing when you type anything.

binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.

Has any one seen this about before?? Is this a trojan , if not then why does
it open udp 3049 even after a reboot.
i trace the proc opening that port kill it and it seems to clone some how my
last proc and then 2mins l8r opens the port again.

Any ideas?


----- Original Message -----
From: "Olaf Kirch" <okir () caldera de>
To: "H D Moore" <hdm () digitaloffense net>
Cc: <fractalg () highspeedweb net>; <vuln-dev () securityfocus com>
Sent: Wednesday, February 27, 2002 3:07 AM
Subject: Re: Rumours about Apache 1.3.22 exploits

There is a bug in the php_split_mime function in PHP 3.x and 4.x. There

is a

working exploit floating around which provides a remote bindshell for

PHP

versions 4.0.1 to 4.0.6 with a handful of default offsets for different
platforms.

Blechch. This code is really icky. There's really an sprintf down there
in the code that looks bad (apart from a few other things that look bad).
But if I don't misread the patch, the sprintf is still there in 4.1.1.

Since the PHP developers commited another change to the affected
source file (rfc1687.c) about two days ago, speculation is that there is

yet

another remote exploit.

Not in the public CVS (has been removed?)

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
        UNIX, n.: Spanish manufacturer of fire extinguishers.

Current thread:

Re: Rumours about Apache 1.3.22 exploits VeNoMouS (Mar 04)
- Re: Rumours about Apache 1.3.22 exploits KF (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits VeNoMouS (Mar 05)
  - Re: Rumours about Apache 1.3.22 exploits Blue Boar (Mar 05)
  - Re: Rumours about Apache 1.3.22 exploits KF (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits Erik Tayler (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits Charles 'core' Stevenson (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits nilton . gs . sc (Mar 05)
  - Re: Rumours about Apache 1.3.22 exploits adamb (Mar 06)
    - Re: Rumours about Apache 1.3.22 exploits Richard Hamnett (Mar 06)
    - Re: Rumours about Apache 1.3.22 exploits Vanja Hrustic (Mar 06)
    - Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client adamb (Mar 06)

(Thread continues...)