[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] URGENT: CERT - Apache buffer overrun

Subject: Re: [cobalt-users] URGENT: CERT - Apache buffer overrun
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Mon Jun 17 22:10:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

DL> Date: Mon, 17 Jun 2002 23:47:24 -0500
DL> From: David Lucas


DL> Just what the heck has this to do with us as a Cobalt list.
DL> 
DL> We are not running windows on our Cobalts (no one I am aware
DL> of) and we are not running any 64bit Unix boxes.
DL> Read the impact statement.  These are the systems affected.

Follow the link to the Apache site.  Maybe I should reserve
"urgent" for remote code execution, but a DOS is nothing at which
to sneer.  It wouldn't be difficult to launch a steady stream of
packets to keep Apache segfaulting and respawning.  Considering
how many people use the Web interface to admin their boxen...

Yes, it's tough to spoof TCP on a Cobalt.  But it's not like
there aren't compromised machines, often connected in "botnets",
where things get ugly quickly.  A little ingenuity goes a long
way towards untraceability.  A few requests to TCP/80 look legit
unless one inspects the packets for chunked transfers...
something that, AFAIK, no non-malware clients use.

I also don't know just where the overrun is.  The wording is
encouraging in that it leads me to believe only part of saved
%eip is trashed... but it's vague.  Maybe I'm tired, but it seems
odd that one could trash the whole 64-bit return %eip (sorry for
using Intel nomenclature out-of-place), yet not wipe out the
32-bit counterpart.

Call it a DOS, as the advisory states, but I'm still confuzzled
why no remote code execution.  Not that I'm complaining...


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.

References:
- Re: [cobalt-users] URGENT: CERT - Apache buffer overrun
  - From: David Lucas

Prev by Date: Re: [cobalt-users] URGENT: CERT - Apache buffer overrun
Next by Date: Re: [cobalt-users] RaQ3 - Named Weirdness
Previous by thread: Re: [cobalt-users] URGENT: CERT - Apache buffer overrun
Next by thread: Re: [cobalt-users] URGENT: CERT - Apache buffer overrun

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index