[CLUE-Tech] root kit checker
David Anselmi
anselmi at anselmi.us
Mon May 10 17:54:21 MDT 2004
Mike Staver wrote:
>> So was there a rootkit or not? The apache security list
>> (http://www.apacheweek.com/features/security-13) doesn't say anything
>> about any remote exploits against 1.3.27.
>
> In response to this from David last week, I think this is what I was
> thinking of when I meant I was asking for a comprimise because I was
> still running 1.3.27:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
I saw that one. Here's what apache.org has to say:
"By using a regular expression with more than 9 captures a buffer
overflow can occur in mod_alias or mod_rewrite. To exploit this an
attacker would need to be able to create a carefully crafted
configuration file (.htaccess or httpd.conf)"
Since remote attackers can't write .htaccess or httpd.conf files (if
they can you have bigger problems) this is not a remote exploit, which
is what I said.
So the exploit would have to come from an account on the system -- not
impossible but easier to narrow down, maybe. If I had that
vulnerability on one of my web servers, I wouldn't rush to fix it
because generally I'm the only one with a local account. And it only
gets you into the apache user anyway.
That's the trick with these security advisories. Just because you were
running 1.3.27 I wouldn't say you were asking to be hacked.
Dave
More information about the clue-tech
mailing list