Digg this story   Add to del.icio.us  
Gobbles Releases Apache Exploit
Brian McWilliams, SecurityFocus 2002-06-20

Tool makes it easy to hack vulnerable Apache servers under OpenBSD.

In a move aimed at showing up other security researchers, Gobbles Security on Wednesday released source code to a program that exploits a serious security flaw in the popular Apache Web server.

Experts confirmed that Apache-scalp.c, posted to several security mailing lists and online libraries, provides remote attackers with a command shell on unpatched OpenBSD systems running Apache 1.3.x.

In an e-mail interview Thursday, Gobbles Security said it released the code because it had reached a "breaking point" following comments about the flaw this week from other security professionals.

"We had read too much bullshit from `experts' concerning the bug, and their idiotic statements as to why it isn't exploitable, and how lucky the world is because it wasn't exploitable," said Gobbles.

According to the non-profit security group, Apache-scalp.c was modified from a multi-platform version Gobbles developed last November. Gobbles said it is "undecided" about when it will release exploits for other Apache platforms, including Sun Solaris, Linux, and FreeBSD.

"Now that people know the bug is actually exploitable, there is no reason to hurry up and hand over exploits to the $$$ security world," said Gobbles.

The first advisory describing the "chunked encoding" vulnerability on Apache was released Monday by Internet Security Systems. According to the advisory, ISS's X-Force research group discovered a bug in the Windows version of Apache 1.3.24, but ISS believed that "successful exploitation on most Unix platforms is unlikely."

Chris Rouland, director of X-Force, said Thursday that ISS has confirmed that the Gobbles exploit works against OpenBSD.

"Yesterday this was just a vulnerability. Today, it's a threat. The entire world population of hackers is now armed with a tool to break into OpenBSD/Apache systems," he said.

Fragroute Hack Connection?
According to Rouland, ISS had no knowledge that exploits for the flaw were in circulation when it released its advisory. But he said the company was confident that "a hostile third-party" would develop one.

"The fact that it turns out than an exploit has been in the wild for a few months indicates to me that we did the right thing ethically," said Rouland.

A comment line in Apache-scalp.c suggested that the exploit may have been used in last month's compromise of Monkey.org, which enabled attackers to place "back doors" in the source code to the Dsniff, Fragroute, and Fragrouter network security tools.

According to Gobbles, the security group was not responsible for the Monkey.org break-in.

"A close friend of ours, who we share our private/prerelease exploits with, told us a few months ago that our exploit worked flawlessly against monkey.org. That's all we know of the situation," said Gobbles, adding that the group has no information indicating that the friend was responsible for altering programs at the site.

Dug Song, Monkey.org's operator and developer of the networking tools, was not immediately available for comment. Song has stated that the site was hacked after intruders successfully penetrated a machine operated by one of the site's administrators using a "client-side hole."

Responding to the ISS advisory, on Monday the Apache Software Foundation revealed that it had been previously notified by NGSSoftware of a denial-of-service attack on Apache on Windows. The consortium said further investigation showed that the issue also affected other Apache platforms, and could present a remote-root exploit vulnerability.

Eeye Digital Security, which publicized a chunked-encoding bug in Microsoft's IIS Web server on June 12, has released a free tool that scans for servers vulnerable to the Apache chunked-encoding vulnerability.

    Digg this story   Add to del.icio.us  
Comments Mode:
Gobbles Releases Apache Exploit 2002-06-20
Anonymous (1 replies)
Gobbles Releases Apache Exploit 2002-06-24
Anonymous
Hackers 2002-06-20
Anonymous (2 replies)
Hackers 2002-06-20
Anonymous2
Hackers 2002-06-21
The Clone (7 replies)
Hackers 2002-06-21
Anonymous (2 replies)
Hackers 2002-06-24
Anonymous Cowardess
Hackers-GO 2002-06-24
omikorn (at) yahoo (dot) com [email concealed] (1 replies)
Re: Hackers-GO 2005-10-26
a Nocturnal student
Hackers 2002-06-21
paralyse
Hackers 2002-06-21
Anonymous (1 replies)
Hackers 2002-06-22
Anonymous
Hackers 2002-06-21
Not Really Anonymous
Hackers 2002-06-21
Anonymous
Hackers 2002-06-21
Anonymous
Hackers 2002-06-25
Anonymous
eEye Scanner 2002-06-21
Dirk (1 replies)
eEye Scanner 2002-06-21
marc (1 replies)
eEye Scanner 2002-06-21
lord aambro (1 replies)
eEye Scanner 2002-06-23
Anonymous (1 replies)
eEye Scanner 2002-06-24
Anonymous
Gobbles Releases Apache Exploit 2002-06-21
nologin (1 replies)
Exploit Attemped on FreeBSD 2002-06-24
Anonymous
Gobbles Releases Apache Exploit 2002-06-21
<bangular (at) linuxmail (dot) org [email concealed]>
Gobbles Releases Apache Exploit 2002-06-21
Anonymous
Gobbles Releases Apache Exploit 2002-06-21
Anonymous
Gobbles on time 2002-06-21
Anonymous (4 replies)
Gobbles on time 2002-06-21
The Clone
Gobbles on time 2002-06-22
Anonymous
Gobbles on time 2002-06-22
Anonymous (4 replies)
Gobbles on time 2002-06-22
Anonymous
Gobbles on time 2002-06-22
Anonymous (1 replies)
Gobbles on time 2002-06-24
Anonymous
Gobbles should do time 2002-06-22
Anonymous (2 replies)
Gobbles should do time 2002-06-24
Anonymous
Gobbles should do time 2002-06-24
Anonymous
Gobbles on time 2002-06-22
Anonymous (1 replies)
Hacking -v- cracking 2002-06-25
Anonymous
Gobbles on time 2002-06-22
Anonymous
Gobbles Releases Apache Exploit 2002-06-23
Anonymous (2 replies)
Gobbles Releases Apache Exploit 2002-06-23
Anon (1 replies)
Gobbles Releases Apache Exploit 2002-06-25
Penile Implant
Gobbles Releases Apache Exploit 2002-06-25
Not Really Anonymous
Gobbles Releases Apache Exploit 2002-06-24
Anonymous Coward (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus