[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <871080DEC5874D41B4E3AFC5C400611ECFCDC4@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: The last word on the Linux Slapper worm
Send me the exploit and I'll test it against the server. I've seen Slapper activity in the logs, but I haven't seen any compromise. As of this writing (I just checked), Red Hat only has opensssl 0.9.6b-28 available as an RPM on their update site (for Red Hat 7.2.)
There are two recent patches for openssl on Red Hat:
http://rhn.redhat.com/errata/RHSA-2002-155.html
http://rhn.redhat.com/errata/RHSA-2002-160.html
2002-155 is the one that is supposed to have fixed the problem that Slapper exploits (a buffer overflow in the client key.) If it isn't fixed, Red Hat definitely needs to know that ASAP.
Since Slapper was discovered in the wild (9/18) I have been seeing these types of entries in the logs:
[Sat Sep 21 04:02:36 2002] [notice] Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 configured -- resuming normal operations
[Sat Sep 21 05:21:51 2002] [error] mod_ssl: SSL handshake failed (server www.obfuscated.com:443, client 2xx.2x.1xx.1xx) (OpenSSL library error follows)
But there's no evidence of any failures, no .bugtraq.c on the server, no port 2002 opened up for communications. No "complaints" from any of my defense systems. Nothing to indicate the the worm got in.
Paul Schmehl (pauls@...allas.edu)
Project Coordinator
University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member
> -----Original Message-----
> From: Mikhail Iakovlev [mailto:misha@...ber.no]
> Sent: Wednesday, September 25, 2002 7:04 PM
> To: Schmehl, Paul L
> Cc: John.Airey@...b.org.uk; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] The last word on the Linux Slapper worm
>
>
>
> Paul, are you absolutely sure about it?
> I have few systems that had 0.9.6b, and after playing with
> offsets for
> some time I managed to proof vulnerability. Of course it
> depends always on
> kernel versions/patches, and on modules which are included in apache
> server. Because of that addresses are changing.
>
> Like for example if I knew value of hex from objdump -R
> /path/to/your/httpd |grep free I am pretty sure that I could succeed.
> However, there are some cases when I tried it on exactly the
> same versions
> of kernel and apache servers and it DIDN'T work. So, answer
> lies somewhere
> else, not in openssl itself.
Powered by blists - more mailing lists