Re: [cobalt-users] URGENT: CERT - Apache buffer overrun

["E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>]

SB> Date: Tue, 18 Jun 2002 14:50:30 +0100
SB> From: Steve Bassi


SB> "In Apache 1.3 the issue causes a stack overflow.  Due to the
SB> nature of the overflow on 32-bit Unix platforms this will
SB> cause a segmentation violation and the child will terminate."
SB> 
SB> A colleague of mine, feels that it will be able to cause the
SB> process of apache to segv which will be effective as a DoS

I'm also curious why one can trash the stack pointer "enough" on
a 64-bit *ix box or or Windows.  Doesn't it strike anyone elso as
odd that there's no remote exploit on 32-bit *ix platform?  It's
possible, but... odd.

I'm sort of waiting for a "revision" of the impact statement.
Hopefully it doesn't come, but I'm worried.

One writes a "sploit" by trashing saved %eip on the stack; when
the function returns, it jumps to the wrong address.  Set it to
the beginning of the buffer, which has been filled with malicious
code... "arbitrary code execution by remote user"-city.

Don't flame me.  Anyone who wants to crack 1) is a script kiddie
who can't understand the above or 2) knows x86 assembler well
enough to write without me repeating what they know by heart.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.