apache ssl bug in exploitanje

Martin martin at amadej.si
Sat Jul 19 18:51:33 CEST 2003


Hey!

--snip-snip--
[07/Jul/2003 12:17:42 24731] [info]  Seeding PRNG with 1160 bytes of entropy
[07/Jul/2003 12:17:42 24732] [info]  Connection to child 33 established 
(server bleh.server.com:443, client 216.234.248.81)
[07/Jul/2003 12:17:42 24732] [info]  Seeding PRNG with 1160 bytes of entropy
[07/Jul/2003 12:17:43 24729] [info]  Connection: Client IP: 216.234.248.81, 
Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
[07/Jul/2003 12:17:43 24730] [info]  Connection: Client IP: 216.234.248.81, 
Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
[07/Jul/2003 12:17:43 24731] [info]  Connection: Client IP: 216.234.248.81, 
Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
[07/Jul/2003 12:17:44 24732] [error] SSL handshake failed (server 
bleh.server.com:443, client 216.234.248.81) (OpenSSL library error follows)
[07/Jul/2003 12:17:44 24732] [error] OpenSSL: error:0406506C:rsa 
routines:RSA_EAY_PRIVATE_DECRYPT:data greater than mod len
[07/Jul/2003 12:17:44 24732] [error] OpenSSL: error:140BB004:SSL 
routines:SSL_RSA_PRIVATE_DECRYPT:nested asn1 error
--snip-snip--

Meni to zgleda kot poskus (uspešen) vdora skozi SSL bug pri apachu. Da je 
zadel spominsko lokacijo (offset) se mu je mogl hudo usr*t.
Se strinja s tem še kdo?

Zanima me, kako bi pogledal (so kje še kaki logi) kaj je potem user nobody 
poganjal. Očitno, to da ima shell na /dev/null ni pomagalo ;-) Ja pa tudi 
kakega .bash_history ni na /.

Preiskal sem cel sistem za datoteke od userja nobody nasel v tmp 2 exploita 
enkga za ptrace (ki ne deluje na tem sistemu) pa nekega za Xe:
--snipit--;-)
./hool
[ElectronicSouls]

./hool -h for help

- progz: /usr/X11R6/bin/xterm
- return address: 0xbfffe86d
  exploiting..


xterm Xt error: Can't open display:
--snipit--
Za drugega tudi dvomim, da mu ga ja ratal uspešno uporabt.

Sicer se mi ne zdi potrebno ampak bom vseeno ponovno namestil cel sistem (itak 
je star ko zemlja ;-) ) . Škoda je edin 3 leta uptima ;-)

Hvala za odgovore in L.P.
-Martin



More information about the lugos-list mailing list