[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apache (Linux?) Worm



It seems  there's a  new worm  out there  working its  way through
systems with Apache and vulnerable OpenSSL installations:

    http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.wor
m.html

First, I'll assume that OpenBSD systems  with patch 13 for 3.1 (or
equivalent) don't have the buffer overflow needed for this. Having
said that,  It's not entirely clear  to me that it's  a pure Linux
critter,  and that's  what I'm  curious about. Are  those (idiots)
with unpatched OpenBSD installations vulnerable?

Specifically, the advisories I've seen say that the worm relies on
the presence  of /bin/sh and gcc  and the ability to  execute i386
shellcode.  One would need to see the  sh code to know if it's too
dependent on bash  to work with OpenBSD's ksh,  but will shellcode
targeted  for Linux  i386 run  on  OpenBSD 386? If  not, does  the
presence of Linux emulation change things?

In any event,  Theo's decision to run Apache in  a chroot starting
with 3.2 is proving its wisdom even before the release date.

Cheers,

b&

--
Ben Goren
 mailto:ben_(_at_)_trumpetpower_(_dot_)_com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]



Visit your host, monkey.org