[Full-Disclosure] The last word on the Linux Slapper worm
Schmehl, Paul L
pauls at utdallas.edu
Thu Sep 26 05:31:25 BST 2002
Send me the exploit and I'll test it against the server. I've seen Slapper activity in the logs, but I haven't seen any compromise. As of this writing (I just checked), Red Hat only has opensssl 0.9.6b-28 available as an RPM on their update site (for Red Hat 7.2.)
There are two recent patches for openssl on Red Hat:
2002-155 is the one that is supposed to have fixed the problem that Slapper exploits (a buffer overflow in the client key.) If it isn't fixed, Red Hat definitely needs to know that ASAP.
Since Slapper was discovered in the wild (9/18) I have been seeing these types of entries in the logs:
[Sat Sep 21 04:02:36 2002] [notice] Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 configured -- resuming normal operations
[Sat Sep 21 05:21:51 2002] [error] mod_ssl: SSL handshake failed (server www.obfuscated.com:443, client 2xx.2x.1xx.1xx) (OpenSSL library error follows)
But there's no evidence of any failures, no .bugtraq.c on the server, no port 2002 opened up for communications. No "complaints" from any of my defense systems. Nothing to indicate the the worm got in.
Paul Schmehl (pauls at utdallas.edu)
University of Texas at Dallas
AVIEN Founding Member
> -----Original Message-----
> From: Mikhail Iakovlev [mailto:misha at cerber.no]
> Sent: Wednesday, September 25, 2002 7:04 PM
> To: Schmehl, Paul L
> Cc: John.Airey at rnib.org.uk; full-disclosure at lists.netsys.com
> Subject: RE: [Full-Disclosure] The last word on the Linux Slapper worm
> Paul, are you absolutely sure about it?
> I have few systems that had 0.9.6b, and after playing with
> offsets for
> some time I managed to proof vulnerability. Of course it
> depends always on
> kernel versions/patches, and on modules which are included in apache
> server. Because of that addresses are changing.
> Like for example if I knew value of hex from objdump -R
> /path/to/your/httpd |grep free I am pretty sure that I could succeed.
> However, there are some cases when I tried it on exactly the
> same versions
> of kernel and apache servers and it DIDN'T work. So, answer
> lies somewhere
> else, not in openssl itself.
Full-Disclosure is hosted and sponsored by Secunia.