Icarus
09-24-2002, 01:44 PM
I got this in today Symantic Newsletter...
Apache_mod_ssl Worm
(Linux.Slapper.Worm) Date:
13th Sep 2002 Risk:
High
Platforms Affected
Linux
Components Affected
Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23, 1.3.26 .
SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
Slackware: Apache 1.3 26 .
Debian: Apache 1.3.26
Overview
The Symantec DeepSight Threat Analyst Team has learned of the existence of a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow vulnerability, targeting Apache Web servers hosted on various Linux platforms.
This also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a Distributed Denial of Service (DDoS) network. To perform these activities, the exploit code listens on UDP port 2002.
The exploit further exhibits worm behavior in that indications are that, once it is setup, it scans and attempts to propagate by infecting other vulnerable systems. It is confirmed through various sources that this worm is in the wild and actively attacking other servers. Over 3500 IP addresses have been recorded as being the source of scanning and associated activity, according to DeepSight Threat Management System data and other sources.
Description
The exploit code analysed by the Symantec DeepSight Threat Analyst Team targets the Apache Web server on a number of Linux operating system distributions, including versions of RedHat, Slackware, Debian, SuSE, and Mandrake. By sending a malformed client key, the exploit opens a shell on the client machine, which is then used to upload the exploit source code in a uuencoded format. Using the same shell, it then uudecodes and compiles the source and runs it with an IP address as a parameter. Once certain pre-conditions are met, the exploit appears to scan and target vulnerable machines.
Recommendations
The worm can be killed using the Unix "kill" command, using the process id of the ".bugtraq process". The following three files can also be removed:
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq
Only the "/tmp/.bugtraq" file contains an executable binary of the worm. There does not appear to be any instructions allowing the worm to restart in the event of a system reset.
NOTE: If you suspect that a system has been compromised, isolate the infected system(s) quickly to prevent further compromise of enterprise systems. Perform forensic analysis and restore the system from trusted media.
Credit
Symantec would like to thank Fernado Nunes for providing a copy of exploit code for analysis.
CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0656 to the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability.
References
More detailed information is available here;
http://securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html
Please do everyone a favor and update your SSL and Apache servers, checking for the worm.
Apache_mod_ssl Worm
(Linux.Slapper.Worm) Date:
13th Sep 2002 Risk:
High
Platforms Affected
Linux
Components Affected
Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23, 1.3.26 .
SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
Slackware: Apache 1.3 26 .
Debian: Apache 1.3.26
Overview
The Symantec DeepSight Threat Analyst Team has learned of the existence of a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow vulnerability, targeting Apache Web servers hosted on various Linux platforms.
This also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a Distributed Denial of Service (DDoS) network. To perform these activities, the exploit code listens on UDP port 2002.
The exploit further exhibits worm behavior in that indications are that, once it is setup, it scans and attempts to propagate by infecting other vulnerable systems. It is confirmed through various sources that this worm is in the wild and actively attacking other servers. Over 3500 IP addresses have been recorded as being the source of scanning and associated activity, according to DeepSight Threat Management System data and other sources.
Description
The exploit code analysed by the Symantec DeepSight Threat Analyst Team targets the Apache Web server on a number of Linux operating system distributions, including versions of RedHat, Slackware, Debian, SuSE, and Mandrake. By sending a malformed client key, the exploit opens a shell on the client machine, which is then used to upload the exploit source code in a uuencoded format. Using the same shell, it then uudecodes and compiles the source and runs it with an IP address as a parameter. Once certain pre-conditions are met, the exploit appears to scan and target vulnerable machines.
Recommendations
The worm can be killed using the Unix "kill" command, using the process id of the ".bugtraq process". The following three files can also be removed:
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq
Only the "/tmp/.bugtraq" file contains an executable binary of the worm. There does not appear to be any instructions allowing the worm to restart in the event of a system reset.
NOTE: If you suspect that a system has been compromised, isolate the infected system(s) quickly to prevent further compromise of enterprise systems. Perform forensic analysis and restore the system from trusted media.
Credit
Symantec would like to thank Fernado Nunes for providing a copy of exploit code for analysis.
CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0656 to the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability.
References
More detailed information is available here;
http://securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html
Please do everyone a favor and update your SSL and Apache servers, checking for the worm.