[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.33.0209260158040.22999-100000@cerber.no>
From: misha at cerber.no (Mikhail Iakovlev)
Subject: The last word on the Linux Slapper worm
Paul, are you absolutely sure about it?
I have few systems that had 0.9.6b, and after playing with offsets for
some time I managed to proof vulnerability. Of course it depends always on
kernel versions/patches, and on modules which are included in apache
server. Because of that addresses are changing.
Like for example if I knew value of hex from objdump -R
/path/to/your/httpd |grep free I am pretty sure that I could succeed.
However, there are some cases when I tried it on exactly the same versions
of kernel and apache servers and it DIDN'T work. So, answer lies somewhere
else, not in openssl itself.
I have made a different version of exploit than the one from worm sources,
it works a bit faster. I am not going to publish it (yet), but I could
test if some of you sure you are not vulnerable with version 0.9.6b.
At least all of my machines were, with different versions of kernels.
As I said, all attacker needs is an IP address, and hex value from line
where it says just "free". Rest is up to skills and a bit of luck.
As for me - it was a pain to recompile apache on 18 servers, since all of
them have custom needs/setups.
Modular apache with openssl are also vulnerable, I made a proof of concept
few days ago for my students in lab.
Best wishes,
Mik-
On Wed, 25 Sep 2002, Schmehl, Paul L wrote:
> Interesting. I patched openssl the day the patch was announced (using
> up2date.) When the Slapper worm came out, I knew my system wasn't
> vulnerable, because I had already applied the patch on June 29th when it
> was released. I'm not sure why there would have been confusion about
> whether or not your system might be vulnerable, since both the the
> vulnerability and the patch were publicly announced, but I suspect it
> had to do with the fact that (at least in the case of Red Hat) the
> *version* of openssl you're running is patched rather than updating to
> the latest version.
>
> On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's
> patched against this vulnerability. All the advisories suggest updating
> to at least version 0.9.6e if not g, but they do not address the fact
> that your vendor may have patched previous versions. I sent a post to
> bugtraq pointing that out, but it was never published. Guess I'll just
> use this list from now on.
>
> Paul Schmehl (pauls@...allas.edu)
> Department Coordinator
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
>
> > -----Original Message-----
> > From: John.Airey@...b.org.uk [mailto:John.Airey@...b.org.uk]
> > Sent: Monday, September 23, 2002 9:48 AM
> > To: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] The last word on the Linux Slapper worm
> > Importance: High
> >
> >
> > There has been a lack of information about the potential for
> > damage around the Linux Slapper worm, and posts to the
> > bugtraq list ranging from the sublime to the ridiculous. I am
> > hoping that this post will clear up any doubts people may
> > have about the vulnerabilities of their systems. It appears
> > that the Linux vendors and openssl had been working together
> > to produce an update to the vulnerability that was exploited
> > by this worm. However, none of the openssl maintainers other
> > than Mark Cox of Red Hat knows anything about this from what
> > I can gather.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists