Technology

Apache Attack Exploit Release


In a move aimed at showing up other security researchers, Gobbles Security

on Wednesday released source code to a program that exploits a serious

security flaw in the popular Apache Web server.

Experts confirmed that

Apache-scalp.c, posted to

several security mailing lists and online libraries, provides remote

attackers with a command shell on unpatched OpenBSD systems running Apache

1.3.x.

In an e-mail interview Thursday, Gobbles Security said it released the code

because it had reached a "breaking point" following comments about the flaw

this week from other security professionals.

"We had read too much bullshit from `experts' concerning the bug, and their

idiotic statements as to why it isn't exploitable, and how lucky the world

is because it wasn't exploitable," said Gobbles.

According to the non-profit security group, Apache-scalp.c was modified

from a multi-platform version Gobbles developed last November. Gobbles said

it is "undecided" about when it will release exploits for other Apache

platforms, including Sun Solaris, Linux, and FreeBSD.

"Now that people know the bug is actually exploitable, there is no reason

to hurry up and hand over exploits to the $$$ security world," said Gobbles.

The first advisory describing the "chunked encoding" vulnerability on

Apache was released Monday by Internet Security Systems. According to the

advisory, ISS's X-Force research group discovered a bug in the Windows

version of Apache 1.3.24, but ISS believed that "successful exploitation on

most Unix platforms is unlikely."

Chris Rouland, director of X-Force, said Thursday that ISS has confirmed

that the Gobbles exploit works against OpenBSD.

"Yesterday this was just a vulnerability. Today, it's a threat. The entire

world population of hackers is now armed with a tool to break into

OpenBSD/Apache systems," he said.

FRAGROUTE HACK CONNECTION? According to Rouland, ISS had no knowledge that exploits for the flaw were

in circulation when it released its advisory. But he said the company was

confident that "a hostile third-party" would develop one.

"The fact that it turns out than an exploit has been in the wild for a few

months indicates to me that we did the right thing ethically," said Rouland.

A comment line in Apache-scalp.c suggested that the exploit may have been

used in last month's compromise of

Monkey.org, which enabled attackers to place "back doors" in the source

code to the Dsniff, Fragroute, and Fragrouter network security tools.

According to Gobbles, the security group was not directly responsible for

the Monkey.org break-in.

"A close friend of ours, who we share our private/prerelease exploits with,

told us a few months ago that our exploit worked flawlessly against

monkey.org. That's all we know of the situation," said Gobbles.

Dug Song, Monkey.org's operator and developer of the networking tools, was

not immediately available for comment.

Responding to the ISS advisory, on Monday the Apache Software Foundation revealed that it had been previously notified by NGSSoftware of a

denial-of-service attack on Apache on Windows. The consortium said further

investigation showed that the issue also affected other Apache platforms,

and could present a remote-root exploit vulnerability.

Eeye Digital Security, which publicized a chunked-encoding bug in

Microsoft's IIS Web server on June 12, has released a free tool

that scans for servers vulnerable to the Apache chunked-encoding

vulnerability By Brian McWilliams


Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus