RE: [cobalt-users] URGENT: CERT - Apache buffer overrun

["E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>]

DL> Date: Tue, 18 Jun 2002 13:30:59 -0500
DL> From: David Lucas


DL> I've read all your posts Eddy.  Put some in plain english for
DL> us.

I think this is a hint. ;-)  I'll take it...


DL> What is the difference in this and what a Nimda or Code Red
DL> is doing to our machines?

Assuming you mean what Nimda/CR does to a non-vulnerable box...
those simply make invalid requests that cause a "page not found"
error.

What an Apache chunked-transfer exploit would do is crash the
instance of Apache servicing the "request".  Child dies, a new
one is forked -- and the details logged IIRC.

I'm predicting that the forking (spawning new child process to
service requests) would be notably higher-cost than simply
returning a "page not found" error.  I could be wrong.

Bandwidth is finite.  The DoS about which I'm speculating
leverages that -- for <x> bytes sent, what causes the biggest
load?  (This is what a SYN flood does for a vulnerable system.)

Make no mistake... it's worse on NT or Netware when running as a
single process.  And anything that allows arbitrary execution is
worse yet; what runs as what UID determines how bad that is.

I may well have been tired and overreacted to the implications in
my original post, but I _still_ think there's cause for concern
unless I see otherwise.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.