Re: [apache-ssl] Assertions considered bad!? (was: Re: [apache-ssl] Invalid method in request)

Fri, 30 Oct 1998 16:07:06 -0500 

On Fri, Oct 30, 1998, Marc Slemko wrote:

> On Fri, 30 Oct 1998, Ralf S. Engelschall wrote:
> 
> > So on a typical system an attacker who gained access to _any_ account (not
> > necessarily the UID of the httpd or the gcache process) can simply dropping
> > down gcache and this way all httpds by just sending garbage to the gcache
> > port. 
> 
> What does gcache do?  What does someone gain by being able to gain
> access to it?  Can they do anything beyond DoS attacks?

No, but the DoS attack is already a nasty enough problem.

> > | rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
> > | :> ./ssl_gcache rse 12346 &
> > | [1] 29897
> > | [Fri Oct 30 22:35:43 1998] ssl_gcache: started
> > | rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
> > | :> ps -ax | grep ssl_gcache 
> > |   306  ??  I      0:00.03 ssl_gcache 65534 12345
> > | 29897  p0  S      0:00.02 ./ssl_gcache rse 12346
> > | rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
> > | :> echo "hello" | socket en1 12346
> > | [Fri Oct 30 22:35:54 1998] ssl_gcache: unexpected connect from 192.76.162.40 - 
>ignored
> 
> Actually, Ben's code does the exact same thing in this case.   In
> your previous example, you connected to localhost.

Ops, sorry. My fault in cut & pasting. I pasted the wrong test.  Nevertheless
the fact is correct that ssl_gcache doesn't die.  Here is the correct test:

| :> echo "hello" | socket localhost 12346
| [Fri Oct 30 22:55:40 1998] ssl_gcache: invalid cache request
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket localhost 12346
| [Fri Oct 30 22:55:42 1998] ssl_gcache: invalid cache request
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket localhost 12346
| [Fri Oct 30 22:55:42 1998] ssl_gcache: invalid cache request
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket localhost 12346
| [Fri Oct 30 22:55:42 1998] ssl_gcache: invalid cache request
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket localhost 12346
| [Fri Oct 30 22:57:19 1998] ssl_gcache: invalid cache request
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket localhost 12346
| [Fri Oct 30 22:57:19 1998] ssl_gcache: invalid cache request
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :>

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to