Re: [cobalt-security] Fw: blowchunks - protecting existing apache servers until upgrades arrive

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Rick,

> I've noticed that both
> /usr/sbin/httpd
> /usr/sbin/httpd.admsrv
> are compiled with DSO and mod_perl supprort - can anyone confirm that the
> below code attaches to apache as stated in the below post?  This sounds
> like a perfect bandaid until we here from sun on the officialy patch.
>
> Anyone with a development server and 2 minutes?

Yepp, when I saw it on bugtraq I tested it out right away. Works like a charm 
on the RaQ4. Stops the attack dead in its tracks and logs the IP of the 
attacker in /var/log/httpd/error

I'm now applying the fix to all my productive servers. I thought about 
building a PKG around blowchunks.c, but heck: Installing it is very easy:

/usr/sbin/apxs -i -a -c mod_blowchunks.c

Then open up /etc/httpd/conf/httpd.conf in an editor and change the line ...

LoadModule blowchunks_module  lib/apache/mod_blowchunks.so

.... to ...

LoadModule blowchunks_module  /usr/lib/apache/mod_blowchunks.so

and restart Apache:

/etc/rc.d/init.d/httpd start

Next is the Admin Server. There we only need to edit the config file to add 
the support:

pico /etc/admserv/conf/httpd.conf

Add the following two lines:

LoadModule blowchunks_module  /usr/lib/apache/mod_blowchunks.so
AddModule mod_blowchunks.c

Restart the Admin Server:

/etc/rc.d/init.d/admserv restart

That's it.

But beware: While blowchunks *might* offer some protection it's not sure that 
it does protect you 100% all the way agains this exploit. 

And there are still the vulnerable mod_ssl and mod_perl in our Apaches. :o(

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer