At 04:10 PM 6/24/2002 -0400, you wrote:
Perhaps, I'm wrong, but I get the distinct impression that all
the "software" at www.eeye.com does is look at the version of apache
that is returned for an HTTP connect (probably just a HEAD). If the
version is 1.3 then if the release is less than 26, its vurnerable
if 26 or greater its not. If the version is 2.0 then a similar check
on the release is done. I'd don't believe that the eeye.com software
atually checkes to see if the site is actually vurnerable to the exploit.
That is what I thought at first but have since changed my mind. I think
it actually sends chunked data then checks for the response.
If I scan my box with the eeye.com tool before applying the blowchunks
workaround my server shows up as vulnerable and I get:
[Sat Jun 22 19:31:42 2002] [notice] child pid 11161 exit signal
Segmentation fault (11)
-- which is, I believe, the vulnerability in action.
However after I apply the patch my server no longer shows up as vulnerable
and I get:
[Mon Jun 24 08:30:48 2002] [error] [client XXX.XXX.XXX.XXX]
Transfer-Encoding: chunked - denied and logged
After scanning with the same tool.
Interestingly, if I apply the perl blowchunks patch and not the module, I
am no longer shown as vulnerable but I get the Segmentation Fault
error. So I don't think the perl scipt is really protecting you. Since
the module is so easy to get going I'd recommend that one.
BTW, since I installed the workaround I haven't seen anyone hit my box yet
with chunked data. Still waiting for automated tools for the kiddies to
come out. Anyone else be attacked yet?
Brian