?

Log in

No account? Create an account
Linux Community's Journal
 
[Most Recent Entries] [Calendar View] [Friends View]

Wednesday, February 27th, 2002

Time Event
9:43a
Heads up everyone. I learned yesterday of two working exploits for
vulnerabilities in PHP on Apache. Some early details below...

--
Dave Dittrich Computing & Communications
dittrich@cac.washington.edu University Computing Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Tue, 26 Feb 2002 17:48:48 -0800
Subject: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)

On Tuesday, February 26, 2002, at 12:28
>> Whatever this (maybe) new bug is, it's blowing up these boxes left and
>> right...can't figure it out. They're all relatively new 1.3'ish
>> versions I think.
>
> I've heard rumblings of an Apache/PHP exploit making the rounds.
> Any of these machines using PHP by chance?

This just hit the snort-sigs list this afternoon:

From: Brian <bmc@[redacted]>
Date: Tue Feb 26, 2002 04:02:22 US/Pacific
Subject: [Snort-sigs] php overflow signatures

Below are the initial signatures for the PHP overflow that is about to
get a bunch of publication. Have fun and whatnot.

Sourceforge's CVS server is broken, so these are not yet in CVS.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition memchr overlfow"; flags:A+;
content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
classtype:web-application-attack; sid:1423; rev:1;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE
x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB
0C|"; classtype:shellcode-detect; sid:1424; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition"; flags:A+; content:"Content-Disposition\:";
content:"form-data\;"; classtype:web-application-attack; sid:1425;
rev:1;)



...

sc> > You get this yet? php remote ROOT exploit?
sc> >
sc> > Mandrake 8.0 / apache-1.3.19-3mdk from RPM / PHP/4.X
sc> > RedHat 7.1 / apache-1.3.19-5 from RPM / PHP/4.X
sc> > Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.5 (stack)
sc> > Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (apache GOT kill)
sc> > Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (stack)
sc> > Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (GOT _estrndup)
sc> > Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3 (GOT _estrndup)
sc> >
sc> > usage: %s [options]
sc> > Options:
sc> > -c check exploitability only, do not exploit
sc> > -f force mode, override check results
sc> > -n no check mode
sc> > -l retloc set retlocation
sc> > -a retaddr set return address
sc> > -t target choose target
sc> > (%d) %s
sc> > 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 remote exploit
9:55a
Hello it me again: belkin usb kvm and linux - usb mouse not working :|
Hello there,

I don't know if anaybody can help me out with this problem. Basically, Ive just got myself a belkin ominiview usb kvm switch(link here) and it works fine when I use it with windows, but as soon as I try to use it with linux (Im using mandrake 8.1) I cannot for the life of me get my usb mouse to work (I'm using a m$ explorer mouse).

As far as I can see, the usb mouse is recognised in the system but the cursor will not budge. The keyboard works as its plugged into the ps/2 port on the front of the switch.

Ive tried attaching the mouse directly to the usb port on the back of the linux box and 'hey presto' it works, but I dont particularly want to have to use an extra mouse for the machine.

Anybody got any suggestions?

Current Mood: awake
1:54p
hm..
Anyone know where to find isos of mandrake gaming edition?? halflife without wine would be rather nice...

<< Previous Day 2002/02/27
[Calendar]
Next Day >>
About LiveJournal.com