RE: SCO Web Site Vulnerable to Slapper?

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of KF
> Sent: Tuesday, August 19, 2003 9:21 AM
> To: Jeremiah Cornelius
> Cc: Gherkin McDonalds; full-disclosure () lists netsys com; 
> security () caldera com; security () sco com
> Subject: Re: [Full-disclosure] SCO Web Site Vulnerable to Slapper?
>
>
> **** CALERA ARE YOU PAYING ATTENTION **** WAKE UP ****
>
> (normally I would not do this...) I am under the impression 
> that either 
> they probably don't care about their secuirty or they are 
> ignorant... I 
> reported this (see below) to them SEVERAL times... they use a 
> vulnerable 
> version of their own ftpd on their ftp server... can you say trojaned 
> distribution site? They probably have not patched it because 
> no one has 
> produced a public exploit... they DO have a patch available however.
>
> > telnet ftpput.caldera.com 21
> > Trying 216.250.128.33...
> > Connected to ftpput.caldera.com.
> > Escape character is '^]'.
> > 220 artemis FTP server (Version 2.1WU(1)) ready.
> > user anonymous
> > 331 Guest login ok, send e-mail address as password.
> > pass err@
> > 230-Welcome to Caldera's FTP Archive Site
> > 230-
> ...
> > 230 Guest login ok, access restrictions apply.
> > site exec %x%x
> > 200-d2
> > 200  (end of '%x%x')
> > site exec %n%n%n
> > Connection closed by foreign host.
>
>
> -KF
>
>
> -------------------------------------------------
> subject: [Full-Disclosure] SCO Web Site Vulnerable to 
> Slapper? integerdotonefourfivenine () yahoo com wrote:
>
> They seem to be running Apache/1.3.14 (Unix)
> mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.3.2-RC on Linux,
> which, if I have my facts straight, is vulnerable to 
> <URL:http://www.cert.org/advisories/CA-2002-27.html>.
>
> Am I correct?

Unfortunately, the version number reported is not always accurate. Very
often [or too often] admins will recompile customized fixes of their
software and not bother with upgrading the version number.

Some have even recommended this kind of tactic as a security measure, to
throw people off. However, it makes remote checking - automated checking
- of systems by administrators more difficult, and depending on the
issue, potentially impossible. With plain text protocols it can be
extremely difficult to ascertain whether or not they have a fix for a
security issue unless they have upgraded their version number or one is
willing to crash one's server with a live test.

With binary protocols and major upgrades there tends to be more of a
chance that one can do a non-intrusive check that does not require a
crash and does not require version numbers.

This said, it would be illegal to actually test their site, so let them
handle the hassle. It is unprofessional and rude of them not to respond
about this concern, but that and telling people is all you can do.


> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html