[UNIX] "Slapper" OpenSSL/Apache Worm Propagation
From: support@securiteam.comDate: 09/18/02
- Previous message: support@securiteam.com: "[TOOL] IRCCrypt, IRC Public Channel Encryption Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 18 Sep 2002 09:24:46 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
"Slapper" OpenSSL/Apache Worm Propagation
------------------------------------------------------------------------
SUMMARY
ISS X-Force has learned of the active propagation of a worm that exploits
a previously disclosed vulnerability in Secure Sockets Layer 2.0 (SSLv2)
handshake process. The worm is a modified derivative of the Apache
"Scalper" BSD worm. Current versions of the Slapper worm that are in the
wild are targeting Linux servers running Apache with mod_ssl. The worm has
distributed denial of service (DDoS) capabilities, as well as backdoor
functionality. Netcraft.com reports that over 66% of all active Web
servers on the Internet are running Apache. Securityspace.org reports that
there are nearly 1.4 million OpenSSL installations on the Internet.
DETAILS
Affected Versions:
OpenSSL versions up to and including 0.9.6d and 0.9.7 beta1
Current versions of the Slapper worm only target the following Linux
distributions. The worm may trigger unpredictable results on additional
UNIX platforms. Other UNIX platforms, as well as Apache with OpenSSL for
Windows may also be vulnerable to the OpenSSL vulnerability.
* Debian Linux, Apache 1.3.26
* RedHat Linux, Apache 1.3.6
* RedHat Linux, Apache 1.3.9
* RedHat Linux, Apache 1.3.12
* RedHat Linux, Apache 1.3.19
* RedHat Linux, Apache 1.3.20
* RedHat Linux, Apache 1.3.23
* SuSE Linux, Apache 1.3.12
* SuSE Linux, Apache 1.3.17
* SuSE Linux, Apache 1.3.19
* SuSE Linux, Apache 1.3.20
* SuSE Linux, Apache 1.3.23
* Mandrake Linux, Apache 1.3.14
* Mandrake Linux, Apache 1.3.19
* Mandrake Linux, Apache 1.3.20
* Mandrake Linux, Apache 1.3.23
* Slackware Linux, Apache 1.3.26
* Gentoo Linux (Apache version undetermined)
Impact:
Apache/mod_ssl servers with affected OpenSSL versions are being actively
compromised. Once a server is infected, the backdoor can be accessed
without any authentication. This may lead to third parties using infected
hosts to launch future DDoS attacks. X-Force has received reports that the
DDoS capabilities associated with this worm are very powerful, have
already been used to attack, and disable high-profile targets. Binary and
source code versions of the worm are available and are being actively
circulated. Widespread access to the source code of this worm may lead to
the development of more powerful variants. Evidence exists of over 12000
infected hosts.
Description:
Mod_ssl is the Apache web server interface to OpenSSL, an open source
implementation of the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols. The Slapper worm exploits a buffer overflow in
the SSLv2 handshake process using a malformed client master key. The worm
actively scans for Apache installations over port 80, attempting to
determine the identity of the Linux distribution installed from the
"Server:" response-header field.
The worm does not attempt to compromise any servers that do not identify
themselves as Apache in the server header response. If the worm identifies
an Apache server other than any in a hard-coded list, it will only attempt
to launch the exploit for RedHat with Apache 1.3.23. This exploit vector
is presumably selected because it corresponds to a default installation of
Red Hat version 7.
Once a server is compromised, the worm itself is transmitted to the
compromised host in source form. The source code is in compiled and
executed. The worm will run under the user id of the Web server process,
typically "apache."
The Slapper worm creates a peer-to-peer network of compromised servers and
communicates between worm processes on the UDP port 2002. It accepts
requests for remote command execution, and has DDoS capabilities including
the following:
TCP and TCP/IPv6 flooding:
- Establishes connections to a specified port and then immediately closes
the connections.
- Target port is random if specified as 0.
- Length of time to connect flood can be specified.
- No data is sent in the TCP packet payload.
UDP flooding:
- Sends variable length UDP packets with random data to a specified port.
- Target port is random if specified as 0.
- Length of time to send can be specified.
DNS flooding:
- Sends multiple DNS queries for a specified DNS name to a target server.
- Length of time to flood can be specified.
The Slapper worm has the ability to scan a file system for valid email
addresses. These addresses are returned to the requesting client over UDP
port 10100.
The Slapper worm is known to modify a compromised system in the following
manner:
The following files are created on the file system:
/tmp/.bugtraq.c - The source code of the worm.
/tmp/.uubugtraq - The uuencoded version of the source code.
/tmp/.bugtraq - The compiled binary form of the worm.
The binary /tmp/.bugtraq is started and accepts connections on UDP port
2002.
Recommendation:
Any users with installations of OpenSSL up to and including 0.9.6d or
0.9.7beta1 are encouraged to immediately upgrade to the latest version of
OpenSSL (currently 0.9.6g).
Administrators should consider one or more of the following temporary
workaround solutions to block and/or disable the propagation of the worm:
1) Disabling mod_ssl HTTPS connections completely if unneeded:
Comment the following line in "httpd.conf":
Listen 443
With:
#Listen 443
2) Disable the SSLv2 protocol if unneeded. Locate the SSLCipherSuite
directive in httpd.conf.
If it is commented out, uncomment it.
Append ":!SSLv2" to the end of the directive, and remove any portion which
may enable SSLv2 such as: ":+SSLv2".
Ensure that other ciphers are correctly configured. For these changes to
take effect, the server must be restarted.
3) Administrators should consider disabling all compilers on production or
externally facing systems. While this is workaround may not block any
future variants, it will block propagation of this worm. Disabling
compilers on production systems is a good general security practice.
To disable the worm on an infected host, kill the .bugtraq processes:
killall -9 .bugtraq
Remove the worm files:
rm -f /tmp/.bugtraq /tmp/.uubugtraq /tmp/.bugtraq.c
ADDITIONAL INFORMATION
OpenSSL Project:
<http://www.openssl.org> http://www.openssl.org
ISS X-Force Database:
<http://www.iss.net/security_center/static/9714.php>
http://www.iss.net/security_center/static/9714.php
The information has been provided by ISS X-Force.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] IRCCrypt, IRC Public Channel Encryption Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
