Re: Follow up:Apache Nosejob

From: Darroch (darroch.royden@blueyonder.co.uk)
Date: 08/22/02 

From: "Darroch" <darroch.royden@blueyonder.co.uk>
To: "Jeremy Junginger" <jjunginger@interactcommerce.com>, <vuln-dev@securityfocus.com>
Date: Thu, 22 Aug 2002 20:52:17 +0100

Jeremy,

from;
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:02.apach
e.asc

...
II. Problem Description

     Versions of the apache http daemon before release 1.05 do
     not properly restrict shell meta-characters transmitted to
     the daemon via form input (via GET or POST).
...

try using POST instead of GET.

regards,

----- Original Message -----
From: "Jeremy Junginger" <jjunginger@interactcommerce.com>
To: <pen-test@securityfocus.com>; <vuln-dev@securityfocus.com>
Sent: Thursday, August 22, 2002 6:15 PM
Subject: Follow up:Apache Nosejob

After perfiorming some research, I noticed that the apache worm that is
plaguing FreeBSD machines uses the following settings (please correct me
if I'm wrong):

FreeBSD 4.5 x86 / Apache/1.3.20 (Unix):
D=-146,
B= 0xbfbfde00,
R= 6
Z= 36

FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
D=-134
B= 0xbfbfdb00
R= 3
Z=36

After seeing this, I think I have a patched version of Apache installed,
as the second exploit, which should work, does not. If any of you have
an older, vulnerable version of apache or know where I can find one, let
me know. Anyways, thanks for the help.

-Jeremy

***************************
ORIGINAL MESSAGE:
***************************

Good Morning,

I've got a lab set up with the following host:

FreeBSD 4.5
Apache 1.3.23 (downloaded from
http://packetstormsecurity.org/UNIX/admin/apache_1.3.23.tar.gz )

And am running the apache-nosejob script against it in order to
understand the chunked encoding vulnerability:

http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c

When I ran ./apache-nosejob -o f -h x.x.x.x(address of host), the script
ran for over 12 hours with no successful penetration :). I have also
tried the script with the -b 0x80a0000, -d -150, -z 36, -r 6 switches to
no avail. Perhaps you could suggest some alternate r|d|z values for the
Brute Force settings? Thanks,

-Jeremy

Relevant Pages

  • Follow up:Apache Nosejob
    ... plaguing FreeBSD machines uses the following settings (please correct me ... After seeing this, I think I have a patched version of Apache installed, ... understand the chunked encoding vulnerability: ... Brute Force settings? ...
    (Vuln-Dev)
  • Re: apache chunked encoding
    ... > I was playing a bit with chunked encoding vulnerability and found the ... When I send a request to Apache 1.3.24 using malformed ...
    (Vuln-Dev)