Buffer Overflow (7)

1 Name: Anonymous : 2007-08-25 18:50 ID:7VaTM8S3 [Del]

There appears to be a buffer overflow that affects kareha run on older perl modules through an HTTP cookie poisoning attack that allows (or is SUPPOSED to allow) the attacker to gain control of the host machine and use it as a proxy server or spoof address, among other things. It was targeted at my board run from an older red hat version with an up-to-date apache2 install and an up-to-date kareha. I have updated my perl install and for the time being cut off my HTTPD service entirely. I don't think it worked, but i'm not willing to take any chances with someone infiltrating my network. Is there anything i can do to prevent further attacks of this nature, aside from switching to windows? Or will they appear and pretty much do nothing except mar my log files?

2 Name: Anonymous : 2007-08-25 23:15 ID:Heaven [Del]

well, is the vulnerability in kareha, or perl?

3 Name: !WAHa.06x36 : 2007-08-26 00:13 ID:Heaven [Del]

"Buffer overflows" do not exist in Perl code. While it is possible that there exists some other vulnerability, I don't know of one, and to make any assessment about it I'd have to know what it actually does.

4 Name: Anonymous : 2007-08-26 03:44 ID:Heaven [Del]

Apache has had buffer overflow exploits. Well thankfully this isn't Windows where you could just walsh in the system with a buffer overflow in on of the processes. You have to expressly set forwarding on in a Linux at /etc/sysctl.conf to use it as a proxy without console access.

but things that you can do:

  • use heap instead of stack operations in your OS
  • chroot jail apache
  • turn off apache2 console access in /etc/passwd (chsh www-data /bin/false)
  • set utils like ssh, telnet and nc to access mode root 700

5 Name: Anonymous : 2007-08-26 18:29 ID:7VaTM8S3 [Del]

http://hacker.org.ru/prxjdg.php

this is one of the URLs in one of the GET lines of my apache logs.

http://216.69.161.193/prx.php

this is in my access logs as a GET also.

68.33.144.83 - - [22/Aug/2007:09:02:00 -0400] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9...

[edited for horizontal scroll]

...\x90\x90\x90

This is the thing in particular that worries me.

I don't think anything was accomplished and i'm just going to go ahead and wipe this install out and start over just in case. It looks like he was trying to target either apache or a flaw in PHP. According to the logs, he was using google to search for the default phrases found in each thread or board. I guess at this point i don't need any help, i just wanted to let everyone know that apparently some people are out there looking for this kind of thing to exploit. Security through obscurity truly isn't the best policy ;_;

6 Name: Anonymous : 2007-08-27 10:33 ID:wi4BcWK9 [Del]

> Security through obscurity truly isn't the best policy ;_;

"security through obscurity" implies not being indexed on any search engines

7 Name: !WAHa.06x36 : 2007-08-27 11:24 ID:Heaven [Del]

I dunno, that all sounds like the normal probing for vulnerabilities you'll be subjected to if you put a webserver on the net. Why exactly are you thinking it has anything to do with Kareha?

Name: Link:
Leave these fields empty (spam trap):
More options...
Verification: