It seems to be another stupid Microsoft Exploit that just causes annoyance for Unix Boxes. The only side effect is they fill my dmesg logs with signal 11's from apache crashing.
Am I the only one that sees the irony that Apache seg faults from an attack aimed at Msoft?!
At 11:07 AM 5/31/2004, Mike Nice wrote:
It seems to be another stupid Microsoft Exploit that just causes annoyance for Unix Boxes. The only side effect is they fill my dmesg logs with signal 11's from apache crashing.
Am I the only one that sees the irony that Apache seg faults from an attack aimed at Msoft?!
I mentioned that too to the original poster, but they didn't seem that concerned since Apache respawns itself. I thought if it can be crashed by cramming too much info into a buffer before it's truncated, that's considered a buffer overflow. I'm no programmer and may be off base here but it just struck me as odd also. You're not alone Mike. :) Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Vinny Abello wrote:
At 11:07 AM 5/31/2004, Mike Nice wrote:
It seems to be another stupid Microsoft Exploit that just causes annoyance for Unix Boxes. The only side effect is they fill my dmesg logs with signal 11's from apache crashing.
Am I the only one that sees the irony that Apache seg faults from an attack aimed at Msoft?!
I mentioned that too to the original poster, but they didn't seem that concerned since Apache respawns itself. I thought if it can be crashed by cramming too much info into a buffer before it's truncated, that's considered a buffer overflow. I'm no programmer and may be off base here but it just struck me as odd also. You're not alone Mike. :)
I'm not sure what the background message is here--and I certainly don't know the issues involved in handling the attack gracefully are, but it does seem clear to me that crash-and-respawn is a better idea than multiply-the-attacker-and-the-damage-diameter is. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
----- Original Message ----- From: "Vinny Abello" <vinny@tellurian.com> To: "Mike Nice" <niceman@att.net> Cc: <nanog@merit.edu> Sent: Monday, May 31, 2004 11:31 AM Subject: Re: What HTTP exploit? -- snip --
I thought if it can be crashed by cramming too much info into a buffer before it's truncated, that's considered a buffer overflow. I'm no programmer and may be off base here but it just struck me as odd also.
it could also be a heap overflow (unless we are talking fbsd, for example). regardless, i would be very interested in having a look at that gentleman's apache setup to see if we can crash it reliably <g> paul
On May 31, 2004, at 12:45 PM, Bob Martin wrote:
The real irony is that it doesn't bother Apache running on NT :)
In all fairness, somewhere along the line there was a patch for this. All my Apache servers do is put "request failed: URI too long" in the error log. Even without the fix it really wasn't anything more than a nuisance. Killing off one child process had no effect on valid sessions or the parent process.
This also has no effect on Apache 1.3.28 on OpenBSD 3.4 (-stable), other than logging an extremely long request string. Of course, the OpenBSD folks audit/patch their own version of Apache, so it might have the patch you mention. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
participants (6)
-
Bob Martin
-
Jason Dixon
-
Laurence F. Sheldon, Jr.
-
Mike Nice
-
Paul G
-
Vinny Abello