Paul, are you absolutely sure about it? I have few systems that had 0.9.6b, and after playing with offsets for some time I managed to proof vulnerability. Of course it depends always on kernel versions/patches, and on modules which are included in apache server. Because of that addresses are changing.
Like for example if I knew value of hex from objdump -R /path/to/your/httpd |grep free I am pretty sure that I could succeed. However, there are some cases when I tried it on exactly the same versions of kernel and apache servers and it DIDN'T work. So, answer lies somewhere else, not in openssl itself. I have made a different version of exploit than the one from worm sources, it works a bit faster. I am not going to publish it (yet), but I could test if some of you sure you are not vulnerable with version 0.9.6b. At least all of my machines were, with different versions of kernels. As I said, all attacker needs is an IP address, and hex value from line where it says just "free". Rest is up to skills and a bit of luck. As for me - it was a pain to recompile apache on 18 servers, since all of them have custom needs/setups. Modular apache with openssl are also vulnerable, I made a proof of concept few days ago for my students in lab. Best wishes, Mik- On Wed, 25 Sep 2002, Schmehl, Paul L wrote: > Interesting. I patched openssl the day the patch was announced (using > up2date.) When the Slapper worm came out, I knew my system wasn't > vulnerable, because I had already applied the patch on June 29th when it > was released. I'm not sure why there would have been confusion about > whether or not your system might be vulnerable, since both the the > vulnerability and the patch were publicly announced, but I suspect it > had to do with the fact that (at least in the case of Red Hat) the > *version* of openssl you're running is patched rather than updating to > the latest version. > > On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's > patched against this vulnerability. All the advisories suggest updating > to at least version 0.9.6e if not g, but they do not address the fact > that your vendor may have patched previous versions. I sent a post to > bugtraq pointing that out, but it was never published. Guess I'll just > use this list from now on. > > Paul Schmehl ([EMAIL PROTECTED]) > Department Coordinator > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Monday, September 23, 2002 9:48 AM > > To: [EMAIL PROTECTED] > > Subject: [Full-Disclosure] The last word on the Linux Slapper worm > > Importance: High > > > > > > There has been a lack of information about the potential for > > damage around the Linux Slapper worm, and posts to the > > bugtraq list ranging from the sublime to the ridiculous. I am > > hoping that this post will clear up any doubts people may > > have about the vulnerabilities of their systems. It appears > > that the Linux vendors and openssl had been working together > > to produce an update to the vulnerability that was exploited > > by this worm. However, none of the openssl maintainers other > > than Mark Cox of Red Hat knows anything about this from what > > I can gather. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
