Re: Apache Exploit Released - where is an update for Woody?
On Thu, Jun 20, 2002 at 11:32:05AM -0700, Walter Reed wrote:
> On Thu, Jun 20, 2002 at 12:04:40PM -0500, Derrick 'dman' Hudson wrote:
> > On Thu, Jun 20, 2002 at 01:29:04PM +1000, John wrote:
> > | We need a version > 1.2.12, and are running 1.3.23 from woody. Is there
> > | any idea where a patched 1.3.23 for woody might be? Or should I install
> > | from source from apache.org?
> >
> > Woody currently has 1.3.24-3 (as does sid). (at least, according to
> > the mirror I use)
> >
> > Nonetheless, the DSA says it affects 64-bit architectures. It sounds
> > like if you're not using a 64-bit system (eg SPARC or ia64) then you
> > aren't vulnerable.
> >
> > <quote>
> > ... might allow arbitrary code execution on 64 bit architectures.
> > </quote>
>
> The exploit proved this false. The exploit was for openbsd on i386. It would
> probably be trivial to port it to linux. It's just a matter of time... Time
> probably measured in hours.
Well ATM everything seems to be vague. I don't have a OBSD to prove anything
and I'm not a coder. So everything from me is vague too.
But maybe it's interessting for you so I quote a mail from Stefan Esser
here:
==================Quote============================
Date: Thu, 20 Jun 2002 10:30:48 +0200
From: Stefan Esser <sesser@php.net>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Subject: Apache Exploit
Hi,
i heard several people looking at the gobbles exploit and believing it
can only be fake:
here is my little explanation how bsd memcpy can be exploited:
first a snipset of the bsd memcpy code:
...
1:
addl %ecx,%edi /* copy backwards. */
addl %ecx,%esi
std
[1] andl $3,%ecx /* any fractional bytes? */
decl %edi
decl %esi
rep
movsb
[X] movl 20(%esp),%ecx /* copy remainder by words */
shrl $2,%ecx
subl $3,%esi
subl $3,%edi
rep
movsl
...
In Apache we trigger exactly this piece of code: bsd thinks the two
buffers are overlapping and so it wants to copy backward.
The problem is that you are able to overwrite the call to memcpy
including the supplied paramters (dst, src, length). With up to
3 bytes ([1]) depending on alignment. if you align everything perfectly
you can set the 3 high bytes of length to zero and so change how many
dwords memcpy tries to copy in our case 0x000000??
This is only possible because the code reads the length param again from
stack [X]... This way you can easily survive the call and overwrite
the saved instruction pointer before the memcpy call...
just my 0.02 cents
Stefan Esser - e-matters Security
=============Quote End======================
As I said I'm not a coder so for me everything is just mystery ;)
I upgraded _my_ boxes in the deep hope that the fix was ok so I'm
now sitting here waiting and reading on.
Sven
--
Sven Hoexter -=|=- Earth - Germany - Leverkusen
NOTICE: you have just been infected with Cooperative UNIX Email Virus,
to cooperate please run rm -rf / as root.
Thank you for your cooperation
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: