-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 2. It appears to use components of the "RaQFuCk.sh" script by core > http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts > a symlink attack using cron through the exploitation of an suid > /usr/lib/authenticate on the Cobalt Raq.
According to the docs in that script, it says a quick fix is to chmod 755 /usr/lib/authenticate. When I checked my up-to-date RaQ 4, it shows that permission level is already set. Also it seems to state that it only works on Apache 1.3.20C3 and before. The newest Apache is 1.3.20C4stackguard. > Near as I can tell, they were able to remotely exploit OpenSSL > and establish a remote shell, at which point RaQFuCk.sh was > executed, providing full open access to the system. I haven't been > able to gain access through any exploit code that I can find. The > attack could have come either through Apache or OpenSSH, but I have > no direct proof, so this is all conjecture. I dug up the openssl-scanner and openssl-too-open code (http://www.netalarms.com/special/archive-03) and compiled them. > I have put RPMS for OpenSSL 0.9.7 on our FTP server at: > ftp://ftp.nacs.net/pub/software/cobalt_raq4 > openssl-0.9.7-1.i386.rpm > openssl-0.9.7-1.src.rpm > openssl-devel-0.9.7-1.i386.rpm > openssl-doc-0.9.7-1.i386.rpm I installed these. I then had to make a new symlink for libcrypto.so.2 to the new 0.9.7 version for the openssl-scanner to work: cd /usr/lib ln -s libcrypto.so.0.9.7 libcrypto.so.2 Also, when I restart Apache after installing the OpenSSL RPMS, it still shows "...OpenSSL/0.9.6b..." in the signature string. I don't know if this is dynamic or compiled in someplace... Anyway, when I ran both scanners, it said that the server didn't appear to be vulnerable. Unfortunately, I didn't find the scanners until after putting in OpenSSL 0.9.7, so I don't know if servers without that are susceptible or not... :( - -- Bruce Timberlake http://www.brtnet.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+LPkCvLA2hUZ9kgwRAtPMAJ9GucG5nirAhVeLfwDrQZNVPN+HZwCfaJiX tp30t2zYSJYpVaGQo1Nc8bQ= =aHFI -----END PGP SIGNATURE----- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
