RE: apache sec hole..


Subject: RE: apache sec hole..
From: James Gibson (twistedhammer@subdimension.com)
Date: Fri Jun 28 2002 - 14:00:22 AKDT


On Fri, 28 Jun 2002, James Zuelow wrote:
> > if you want it just change the name to scalp.c and give it a
> > whirl .. lol...
> >
> >
> I actually tried that as soon as the exploit was posted to
> securityfocus.com. I tested two servers, one Apache 1.3.24 and one Apache
> 2.0.35, both on OpenBSD 3.0. I could crash Apache at home (2.0.35), but
> that was as far as the brute force method would get me (set the target ID to
> any digit other than the listed targets, and it tries to brute force the
> target server). I tried the specific attack as well on the 1.3.24 server,
> but again all it did was crash Apache instead of giving me a shell.
>
> There are probably some other variables in my installations that the exploit
> didn't account for, but I'm not enough of a C guru to figure out what they
> might be.

Haven't actually looked too indepth into the issues 'cause we've been to
busy applying the patches, but I know initially they thought it was a DoS
on 32-bit platforms and a shell-able exploit on 64-bit platforms (at least
Sun hardware...), then they said differently.. so maybe it's just harder
to exploit on 32-bit systems?

who knows... Between Apache and openssh it's been a _long_ week. =)

--James Gibson
 

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Fri Jun 28 2002 - 14:00:31 AKDT