[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Apache (Linux?) Worm
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Apache (Linux?) Worm
- From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
- Date: Fri, 13 Sep 2002 21:01:33 -0700
It seems there's a new worm out there working its way through
systems with Apache and vulnerable OpenSSL installations:
First, I'll assume that OpenBSD systems with patch 13 for 3.1 (or
equivalent) don't have the buffer overflow needed for this. Having
said that, It's not entirely clear to me that it's a pure Linux
critter, and that's what I'm curious about. Are those (idiots)
with unpatched OpenBSD installations vulnerable?
Specifically, the advisories I've seen say that the worm relies on
the presence of /bin/sh and gcc and the ability to execute i386
shellcode. One would need to see the sh code to know if it's too
dependent on bash to work with OpenBSD's ksh, but will shellcode
targeted for Linux i386 run on OpenBSD 386? If not, does the
presence of Linux emulation change things?
In any event, Theo's decision to run Apache in a chroot starting
with 3.2 is proving its wisdom even before the release date.
[demime 0.98d removed an attachment of type application/pgp-signature]