[Pluto-security] Fwd: bugtraq.c httpd apache ssl attack

Dido dido@sicurweb.com
Mon, 16 Sep 2002 10:29:19 +0200


Giro in lista un po' di security report, quasi tutti passati su Bugtraq:=20
per chi non lo sapesse, c'=E8 in giro un worm si OpenSSL che colpisce le=20
installazioni di Apache....
Un report un po' pi=F9 dettagliato qui:
http://online.securityfocus.com/bid/5363
Dido

>Subj: bugtraq.c httpd apache ssl attack
>
>I am using RedHat 7.3 with Apache 1.3.23. Someone used the
>program "bugtraq.c" to explore an modSSL buffer overflow to get access to
>a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it
>using gcc. The program is started with another computer ip address as
>argument. All computer files that the user "apache" can read are exposed.
>The program attacks the following Linux distributions:
>
>Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
>SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
>Mandrake: 1.3.14,1.3.19
>Slakware: Apache 1.3.26
----------
>Subj: Re: bugtraq.c httpd apache ssl attack
>
>Wouldn't it be easier to create a blank /tmp/.bugtraq.c file, chmod 000,
>owned by root?
----------
>Subj: Re: bugtraq.c httpd apache ssl attack
>
>Usually, a common tactical move is to securely design the system from the
>start. A /tmp placed on an independent partition, and mounted noexec,=
 nosuid
>along with chattr +a on logs, and  +i on important directories like /sbin,
>/bin and the like it is a fair policy.
>As for a quick fix, yes, this will keep away the worm, but not the hacker.
>One can easily tear apart the worm and create a 'remote shell' trough=
 Apache
>kind of thing. It is advisable to keep the systems always in good shape (if
>possible.. I have seen 'updates' that broke things trying to fix others,
>merely the RedHat 7.0 updates have fallen sometime in this category..) and
>keep always an open eye (if time/staff permits).
----------

>Subj: OpenSSL worm in the wild
>
>I have now seen a worm for the OpenSSL problems I reported a few weeks=20
>back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should be=
=20
>_seriously worried_.
>It appears to be exclusively targeted at Linux systems, but I wouldn't=20
>count on variants for other systems not existing.
----------

>Subj: Apache worm in the wild
>
>Begining with 12.09.2002 we have noticed a variant of the Apache Worm
>http://dammit.lt/apache-worm/apache-worm.c which now exploits mod_ssl bug.
>The worm can be identified by doing a ps -ax | grep bugtraq (it has the=
 name
>.bugtraq :) ).
>It is an 'agent' worm (as his parent, mr. Apache Worm), and can be
>controlled / instructed to do a UDP Flood, TCP Flood, DNS Flood, other
>goodies including command execution on infected system. The source is found
>in /tmp/.bugtraq.c ... and the comments are in english now :)