|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-05
/
pound under attack
[
Pound 1.8.4 still won't getopt under FreeBSD 4.10 ... ]
[
generating CSR and installing certificate / ... ]
pound under attack
Jaroslav Lukesh <lukesh(at)seznam.cz> |
2005-05-08 14:49:49 |
[ SNIP ]
|
Dear all,
our corporate server gets many 1000's attacks in last few days like this:
04/May/2005 14:42:54 +0200: bad header from XX.XX.XX.XX (---------------:
----- -------)
I was found single core.* file from folder where pound resides. It was not run
in chroot-jail, only as pound user (default shell: /bin/false).
So my question is, if it is possible to attacker to get shell?
Many thanks,
--
Jaroslav Lukesh
-----------------------------------------------------------
This e-mail can not contain any viruses because I use Linux
|
|
|
Re: pound under attack
Steven Van Acker <deepstar(at)ulyssis.org> |
2005-05-08 17:53:40 |
[ SNIP ]
|
On Sun, May 08, 2005 at 02:49:49PM +0200, Jaroslav Lukesh wrote:
> Dear all,
>
> our corporate server gets many 1000's attacks in last few days like this:
>
> 04/May/2005 14:42:54 +0200: bad header from XX.XX.XX.XX (---------------:
> ----- -------)
>
> I was found single core.* file from folder where pound resides. It was not
run
> in chroot-jail, only as pound user (default shell: /bin/false).
>
> So my question is, if it is possible to attacker to get shell?
If your version of pound is < 1.8.3
Then in theory: yes
greets,
-- Steven
|
|
|
Re: pound under attack
Jaroslav Lukesh <lukesh(at)seznam.cz> |
2005-05-08 23:42:01 |
[ SNIP ]
|
Dne neděle, 8. května 2005 17:53 Steven Van Acker <deepstar(at)ulyssis.org>
napsal(a):
> > I was found single core.* file from folder where pound resides. It was
> > not run in chroot-jail, only as pound user (default shell: /bin/false).
> >
> > So my question is, if it is possible to attacker to get shell?
>
> If your version of pound is < 1.8.3
> Then in theory: yes
1.8.0 :-(
I was update at Friday, but did not find core anymore. I think that at
successfull attack I need to find more than one core if attacker does not
know software details before. At least one for getting correct lenght of
buffer, and second for crack. I am right?
Many thanks,
--
Jaroslav Lukesh
-----------------------------------------------------------
This e-mail can not contain any viruses because I use Linux
|
|
|
Re: pound under attack
Steven Van Acker <deepstar(at)ulyssis.org> |
2005-05-09 00:07:58 |
[ SNIP ]
|
On Sun, May 08, 2005 at 11:42:01PM +0200, Jaroslav Lukesh wrote:
> Dne ned?le, 8. kv?tna 2005 17:53 Steven Van Acker <deepstar(at)ulyssis.org>
> napsal(a):
> > > I was found single core.* file from folder where pound resides. It was
> > > not run in chroot-jail, only as pound user (default shell: /bin/false).
> > >
> > > So my question is, if it is possible to attacker to get shell?
> >
> > If your version of pound is < 1.8.3
> > Then in theory: yes
>
> 1.8.0 :-(
>
> I was update at Friday, but did not find core anymore. I think that at
> successfull attack I need to find more than one core if attacker does not
> know software details before. At least one for getting correct lenght of
> buffer, and second for crack. I am right?
I haven't seen expoit-code for the overflow yet, but that doesn't mean it
doesn't exist. When guessing offsets in such an exploit, the most common
practice is to bruteforce an offset. From the side of the victim, this
would look like a lot of connections with garbage data in it... so it
might be that you are experiencing some form of attack.
I suggest you patch the code as soon as you can.
Information about the overflow can be found here (including a quick
fix):
http://www.apsis.ch/pound/pound_list/archive/2005/2005-04/1114516112000#1114516112000
The patch consists of replacing the following line in svc.c (function
add_port):
sprintf(res, "Host: %s:%hd", host, ntohs(to_host->sin_port));
with:
snprintf(res,sizeof(res) - 1,"Host: %s:%hd", host,ntohs(to_host->sin_port));
greets,
-- Steven
|
|
|
Re: pound under attack
Robert Segall <roseg(at)apsis.ch> |
2005-05-09 13:21:53 |
[ SNIP ]
|
On Sun, 8 May 2005 14:49:49 +0200 Jaroslav Lukesh <lukesh(at)seznam.cz>
wrote:
> Dear all,
>
> our corporate server gets many 1000's attacks in last few days like
> this:
>
> 04/May/2005 14:42:54 +0200: bad header from XX.XX.XX.XX
> (---------------:
> ----- -------)
>
> I was found single core.* file from folder where pound resides. It was
> not run
> in chroot-jail, only as pound user (default shell: /bin/false).
>
> So my question is, if it is possible to attacker to get shell?
Your question is a bit generic.
The kind of message you describe is not an attack, but rather a silly
piece of software that uses Unicode for the headers. Pound considers
these headers illegal and filters them out. I repeat - this is not an
attack of any kind and you can ignore it.
A vulnerability was discovered in 1.8.0, which may allow a buffer
overflow. I am not aware of any kind of exploit code available, though
that does not mean it does not exist. The vulnerability is specific to
the Host: header, so if an attacker was probing your machine you would
see a bunch of messages relating specifically to that header.
Getting a core dump need not be related to this - it could be caused by
completely unrelated factors. If you saw a single core file I doubt you
are under any sort of attack. I would consider it much more likely this
is a manifestation of some other problem (such as a still unknown bug or
bad setup).
Finally, if you worry about your security, you should definitely inspect
your servers to make sure they have not been compromised. I assume you
have some sort of secure integrity checks in place to do that.
I hope this helps some...
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
Re: pound under attack
Jaroslav Lukesh <lukesh(at)seznam.cz> |
2005-05-09 19:15:02 |
[ SNIP ]
|
Dne pondělí, 9. května 2005 13:21 Robert Segall <roseg(at)apsis.ch> napsal(a):
> > 04/May/2005 14:42:54 +0200: bad header from XX.XX.XX.XX
> > (---------------:
> > ----- -------)
> The kind of message you describe is not an attack, but rather a silly
> piece of software that uses Unicode for the headers. Pound considers
> these headers illegal and filters them out. I repeat - this is not an
> attack of any kind and you can ignore it.
these messages I was get already when it get hit from buffer-overflow
IIS/apache-like cracker. Time distribution of these attempts are from few
seconds to half hour from single IP with 1-5 requests per sec and does not
copy daily visitors load curve - it is distributed equally over whole day and
night.
The IP typically does not repeats, only few IPs was repeated after a day or
two. Actually, last described attack I was get today in 13:23 gmt+2.
So I dont think that it is unicode cause.
> A vulnerability was discovered in 1.8.0, which may allow a buffer
> overflow. I am not aware of any kind of exploit code available, though
> that does not mean it does not exist. The vulnerability is specific to
> the Host: header, so if an attacker was probing your machine you would
> see a bunch of messages relating specifically to that header.
In that case attacker must know that we use pound. We does not advertise that
before and I does not have messages about host header.
Many thanks for your pound and support, it is really very good piece of
software. I am happy for that.
--
Jaroslav Lukesh
-----------------------------------------------------------
This e-mail can not contain any viruses because I use Linux
|
|
|
|
