lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.33.0209261100500.27239-100000@cerber.no>
From: misha at cerber.no (Mikhail Iakovlev)
Subject: The last word on the Linux Slapper worm

There is not much significant differences in exploits, just the speed, so 
you can use the same exploit as in worm sources. BUT...you have to figure 
out yourself those offsets. It varies from system to system.

Good luck!

Mik-
P.S.Pay attention to bit with .bugtraq.c - you need to prepare it before 
you test anything. You can see what you need in sources, and source of 
bugtraq you can find on packetstorm.

On Wed, 25 Sep 2002, Schmehl, Paul L wrote:

> Send me the exploit and I'll test it against the server.  I've seen Slapper activity in the logs, but I haven't seen any compromise.  As of this writing (I just checked), Red Hat only has opensssl 0.9.6b-28 available as an RPM on their update site (for Red Hat 7.2.)
> 
> There are two recent patches for openssl on Red Hat:
> http://rhn.redhat.com/errata/RHSA-2002-155.html
> http://rhn.redhat.com/errata/RHSA-2002-160.html
> 
> 2002-155 is the one that is supposed to have fixed the problem that Slapper exploits (a buffer overflow in the client key.)  If it isn't fixed, Red Hat definitely needs to know that ASAP.
> 
> Since Slapper was discovered in the wild (9/18) I have been seeing these types of entries in the logs:
> [Sat Sep 21 04:02:36 2002] [notice] Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 configured -- resuming normal operations
> [Sat Sep 21 05:21:51 2002] [error] mod_ssl: SSL handshake failed (server www.obfuscated.com:443, client 2xx.2x.1xx.1xx) (OpenSSL library error follows)
> 
> But there's no evidence of any failures, no .bugtraq.c on the server, no port 2002 opened up for communications.  No "complaints" from any of my defense systems.  Nothing to indicate the the worm got in.
> 
> Paul Schmehl (pauls@...allas.edu)
> Project Coordinator
> University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member 
> 
> > -----Original Message-----
> > From: Mikhail Iakovlev [mailto:misha@...ber.no] 
> > Sent: Wednesday, September 25, 2002 7:04 PM
> > To: Schmehl, Paul L
> > Cc: John.Airey@...b.org.uk; full-disclosure@...ts.netsys.com
> > Subject: RE: [Full-Disclosure] The last word on the Linux Slapper worm
> > 
> > 
> > 
> > Paul, are you absolutely sure about it?
> > I have few systems that had 0.9.6b, and after playing with 
> > offsets for 
> > some time I managed to proof vulnerability. Of course it 
> > depends always on 
> > kernel versions/patches, and on modules which are included in apache 
> > server. Because of that addresses are changing.
> > 
> > Like for example if I knew value of hex from objdump -R 
> > /path/to/your/httpd |grep free I am pretty sure that I could succeed. 
> > However, there are some cases when I tried it on exactly the 
> > same versions 
> > of kernel and apache servers and it DIDN'T work. So, answer 
> > lies somewhere 
> > else, not in openssl itself.
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ