Dear all,

our corporate server gets many 1000's attacks in last few days like this:

04/May/2005 14:42:54 +0200: bad header from XX.XX.XX.XX (---------------: 
----- -------)

I was found single core.* file from folder where pound resides. It was not run 
in chroot-jail, only as pound user (default shell: /bin/false).

So my question is, if it is possible to attacker to get shell?

Many thanks,
[...]

On Sun, May 08, 2005 at 02:49:49PM +0200, Jaroslav Lukesh wrote:[...]

If your version of pound is < 1.8.3
Then in theory: yes

greets,[...]

Dne neděle, 8. května 2005 17:53 Steven Van Acker
<deepstar(at)ulyssis.org> 
napsal(a):[...]

1.8.0 :-(

I was update at Friday, but did not find core anymore. I think that at 
successfull attack I need to find more than one core if attacker does not 
know software details before. At least one for getting correct lenght of 
buffer, and second for crack. I am right?

Many thanks,
[...]

On Sun, May 08, 2005 at 11:42:01PM +0200, Jaroslav Lukesh wrote:[...]

I haven't seen expoit-code for the overflow yet, but that doesn't mean it
doesn't exist. When guessing offsets in such an exploit, the most common
practice is to bruteforce an offset. From the side of the victim, this
would look like a lot of connections with garbage data in it... so it
might be that you are experiencing some form of attack.

I suggest you patch the code as soon as you can.
Information about the overflow can be found here (including a quick
fix):
http://www.apsis.ch/pound/pound_list/archive/2005/2005-04/1114516112000#1114516112000

The patch consists of replacing the following line in svc.c (function
add_port):

    	sprintf(res, "Host: %s:%hd", host, ntohs(to_host->sin_port));

with:
	snprintf(res,sizeof(res) - 1,"Host: %s:%hd",
host,ntohs(to_host->sin_port));
	
greets,[...]

On Sun, 8 May 2005 14:49:49 +0200 Jaroslav Lukesh <lukesh(at)seznam.cz>
wrote:[...]

Your question is a bit generic.

The kind of message you describe is not an attack, but rather a silly
piece of software that uses Unicode for the headers. Pound considers
these headers illegal and filters them out. I repeat - this is not an
attack of any kind and you can ignore it.

A vulnerability was discovered in 1.8.0, which may allow a buffer
overflow. I am not aware of any kind of exploit code available, though
that does not mean it does not exist. The vulnerability is specific to
the Host: header, so if an attacker was probing your machine you would
see a bunch of messages relating specifically to that header.

Getting a core dump need not be related to this - it could be caused by
completely unrelated factors. If you saw a single core file I doubt you
are under any sort of attack. I would consider it much more likely this
is a manifestation of some other problem (such as a still unknown bug or
bad setup).

Finally, if you worry about your security, you should definitely inspect
your servers to make sure they have not been compromised. I assume you
have some sort of secure integrity checks in place to do that.

I hope this helps some...[...]

Dne pondělí, 9. května 2005 13:21 Robert Segall <roseg(at)apsis.ch>
napsal(a):[...]
[...]

these messages I was get already when it get hit from buffer-overflow 
IIS/apache-like cracker. Time distribution of these attempts are from few 
seconds to half hour from single IP with 1-5 requests per sec and does not 
copy daily visitors load curve - it is distributed equally over whole day and 
night. 
The IP typically does not repeats, only few IPs was repeated after a day or 
two. Actually, last described attack I was get today in 13:23 gmt+2.

So I dont think that it is unicode cause.
[...]

In that case attacker must know that we use pound. We does not advertise that 
before and I does not have messages about host header.

Many thanks for your pound and support, it is really very good piece of 
software. I am happy for that.
[...]