> -----Original Message-----
> From: David Ressman [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 25, 2002 2:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: The apache_chunked_encoding.nasl
[snip]
>
> However, this may also be the case. We've found several versions of
> apache which we know are vulnerable (and have vulnerable
> version numbers
> that are caught by the safe check), but are failing the more extensive
> test. So far, we've seen some hosts apache 1.3.19, 1.3.12, and 1.3.16
> (all running solaris, but I'm not sure it's tied to the OS) fail the
> in-depth test.
Interesting. One of the tests I gathered from one of the security lists
(although I've lost the original post) is to telnet to an affected webserver
and enter this text:
POST /x.html HTTP/1.1
Host: 192.168.1.1
Transfer-Encoding: chunked
80000000
Rapid 7
0
Against:
"Server: Apache/1.3.24 (Unix)" on Solaris 8
both the safe and unsafe checks return a hole. Using the manual test, the
server drops the connection after the "80000000" line.
Against:
"Server: Apache/1.3.1 (Unix)" on Solaris 2.6
"Server: Apache/1.2.4" on Solaris 2.6
the safe check returns a hole, while the unsafe says it's OK. In the manual
test, after I hit the second carriage return after the "Transfer-Encoding:
chunked" line, the server responds with "HTTP/1.1 100 Continue" and an extra
carriage return. Then when I enter "80000000" the server returns "HTTP/1.1
400 Bad Request"
Against:
"Server: Apache/1.3.19 (Unix)" on Solaris 2.6
"Server: Apache/1.3.19 (Unix)" on HP-UX 11.00
"Server: Apache/1.3.3 (Unix)" on Solaris 2.6
"Server: Apache/1.3.9 (Unix)" on Solaris 2.6
"Server: Apache/1.3.6 (Unix)" on Solaris 2.6
"Server: Apache/1.3.12 (Unix)" on Solaris 7
I also get the "HTTP/1.1 400 Bad Request" after the "80000000" line, but
there is no "HTTP/1.1 100 Continue" in between.
Against:
"Server: Apache/1.3.12 (Unix)" on SuSE Linux 7.0 (s390) - Kernel 2.2.16
My manual test disconnects like a vulnerable system, but the unsafe check
says it's OK. Need to investigate more fully since this one should return a
hole using unsafe checks.
Against:
"Server: Apache/1.2.5" on UnixWare 2.1.2
The safe check returns vulnerable, the unsafe check returns invulnerable and
the manual check never errors out.
These "400" messages are also what a 1.3.26 server responds, so maybe we've
discovered that not all 1.3.0-1.3.24 are vulnerable. Maybe my manual test
is flawed. Anyone know of a better one? I checked a couple of them using
the test from apache_chunked_encoding.nasl where the string is "fffffff0"
instead of "80000000" with the same results.
No, you won't see these systems sitting in our DMZ...:)
Regards,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.
