Re: HTTPS scans

From: Kurt Seifried (bugtraq@seifried.org)
Date: 03/11/02


From: "Kurt Seifried" <bugtraq@seifried.org>
To: "Keith T. Morgan" <keith.morgan@terradon.com>, <incidents@securityfocus.com>
Date: Mon, 11 Mar 2002 12:20:45 -0700


>From: "Keith T. Morgan" <keith.morgan@terradon.com>
>We're starting to see a surge in scans for tcp 443. My guess is that
someone has scripted an attack against the mod_ssl vulnerability.

That I find unlikely since you exploit it by using a malformed certificate
that the server must first verify. Thus to do this in a widespread fashion
you would need to get Thawte/Verisign or one of the other large, "trusted"
firms to issue you a cert that contains the malicious data. While possible I
find this unlikely. What I would find more likely is people finally getting
semi intelligent and realizing you can bypass the network IDS in most places
by going to the SSL side of the web server.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.idefense.com/digest.html

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
    ... Systems that rely on persistent TCP connections, ... Most implementations of the Border Gateway Protocol (BGP) rely on the Transmission Control Protocol to maintain persistent unauthenticated network sessions. ... Sustained exploitation of this vulnerability could lead to a denial of service condition; in the case of BGP systems, portions of the Internet community may be affected. ... Paul Watson has performed the statistical analysis of this attack when the ISN is not known and has pointed out that such an attack could be viable when specifically taking into account the TCP Window size. ...
    (Full-Disclosure)
  • HTTPS scans
    ... We're starting to see a surge in scans for tcp 443. ... My guess is that someone has scripted an attack against the mod_ssl vulnerability. ...
    (Incidents)
  • Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
    ... NISCC Vulnerability Advisory 236929 ... Vulnerability Issues in TCP ... > attack on TCP BGP sessions? ...
    (Full-Disclosure)
  • SecurityFocus Microsoft Newsletter #102
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Media Player File Attachment Script Execution... ... Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability ... Abyss Web Server Malicious HTTP Request Information Disclosure... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #95
    ... MICROSOFT VULNERABILITY SUMMARY ... BEA Systems WebLogic Server and Express Race Condition Denial... ... Key Focus KF Web Server Directory Contents Disclosure... ... KMMail Code Injection Vulnerability ...
    (Focus-Microsoft)