RE: [cobalt-users] Apache Exploit problem - what have you done?

[Brian Rahill <cobalt@xxxxxxxxxxxxxxxxxxxxxxx>]

At 04:10 PM 6/24/2002 -0400, you wrote:
> Perhaps, I'm wrong, but I get the distinct impression that all
> the "software" at www.eeye.com does is look at the version of apache
> that is returned for an HTTP connect (probably just a HEAD). If the
> version is 1.3 then if the release is less than 26, its vurnerable
> if 26 or greater its not. If the version is 2.0 then a similar check
> on the release is done. I'd don't believe that the eeye.com software
> atually checkes to see if the site is actually vurnerable to the exploit.

That is what I thought at first but have since changed my mind.  I think it 
actually sends chunked data then checks for the response.
If I scan my box with the eeye.com tool before applying the blowchunks 
workaround my server shows up as vulnerable and I get:
[Sat Jun 22 19:31:42 2002] [notice] child pid 11161 exit signal 
Segmentation fault (11)
-- which is, I believe, the vulnerability in action.

However after I apply the patch my server no longer shows up as vulnerable 
and I get:
[Mon Jun 24 08:30:48 2002] [error] [client XXX.XXX.XXX.XXX] 
Transfer-Encoding: chunked - denied and logged
After scanning with the same tool.

Interestingly, if I apply the perl blowchunks patch and not the module, I 
am no longer shown as vulnerable but I get the Segmentation Fault 
error.  So I don't think the perl scipt is really protecting you.  Since 
the module is so easy to get going I'd recommend that one.

BTW, since I installed the workaround I haven't seen anyone hit my box yet 
with chunked data.  Still waiting for automated tools for the kiddies to 
come out.  Anyone else be attacked yet?

Brian

--
Brian M. Rahill
President
RainStorm, Inc.
http://www.rainstormconsulting.com
"Designing Strategies for Internet Success."
brian@xxxxxxxxxxxxxxxx
Phone: 207-866-3908
Fax: 207-866-0297