Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Blocking Nimda and kin
From: Brett Glass <brett () lariat org>
Date: Thu, 08 Nov 2001 16:00:47 -0700

You have a good point. How would you guard against this sort of
spoofing? Require several rapid fire hits before blocking, 
perhaps?

Also, it turns out that the "%400,404a" is erroneous. This was
a mistake on my part that stemmed from misunderstanding of the
Apache documentation. It's better just to use %a there, since 
adding the "400,404" in the middle can create a malformed
command in certain unusual circumstances. (No harm will be done, 
though.)

By the way, Apache runs its master process as root and demotes 
all the others it spawns to a uid of your choosing. The master
process opens the log files, so yes, the command is run as root.
Note that no user input is used in the command, so it's not
possible to execute a command of your choosing via this mechanism.

--Brett

At 03:46 PM 11/8/2001, Peter W wrote:

This is very cool stuff. So I can get someone to view an HTML page|email
with code like <IMG alt="" height="0" width="0" hspace="0" vspace="0"
src="http://brettglass.example.com/winnt/system32/cmd.exe";>, I can easily
prevent them, or anyone else coming from the same space, from reaching your
Web server. Get some AOL users to read the messages and bye-bye to all the
AOL proxy server traffic. Get lots of usenet "victims", and even if they
don't care about your Web site, man, your routing table suddenly looks bad.

Very (un)cool.

-Peter

P.S. If that exec sh route thing actually works, does that mean your httpd 
is running as root?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]