Apache_mod_ssl Worm Alert<br /><br />Reference<br />Bugtraq ID 5363, Subj: OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability<br /><br />Risk Impact<br />High<br /><br />Affected Components<br /><br />Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23, 1.3.26 .<br /><br />SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .<br /><br />Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .<br /><br />Slackware: Apache 1.3 26 .<br /><br />Debian: Apache 1.3.26<br /><br />Overview<br />The Symantec DeepSight Threat Analyst Team has learned of the existence of a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow vulnerability, targeting Apache Web servers hosted on various Linux platforms.<br /><br />This also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a Distributed Denial of Service (DDoS) network. To perform these activities, the exploit code listens on UDP port 2002.<br /><br />The exploit further exhibits worm behavior in that indications are that, once it is setup, it scans and attempts to propagate by infecting other vulnerable systems.<br /><br />It is confirmed through various sources that this worm is in the wild and actively attacking other servers. Over 3500 IP addresses have been recorded as being the source of scanning and associated activity, according to DeepSight Threat Management System data and other sources.<br /><br />Details<br />The exploit code analyzed by the Symantec DeepSight Threat Analyst Team targets the Apache Web server on a number of Linux operating system distributions, including versions of RedHat, Slackware, Debian, SuSE, and Mandrake. By sending a malformed client key, the exploit opens a shell on the client machine, which is then used to upload the exploit source code in a uuencoded format. Using the same shell, it then uudecodes and compiles the source and runs it with an IP address as a parameter.<br /><br />Once certain pre-conditions are met, the exploit appears to scan and target vulnerable machines. It scans for vulnerable machines in the following /8 networks:<br /><br />3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 80, 81, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239<br /><br />When performing the scanning, the worm first connects to port 80 of a target machine, to determine if it can communicate to that port. It then sends the following request:<br /><br />GET / HTTP/1.1\r\n\r\n<br /><br />Since this is an invalid HTTP 1.1 request, it is missing the "Host:" parameter, a typical Apache server will respond with something similar to the following:<br /><br />HTTP/1.1 400 Bad Request<br />Date: Fri, 13 Sep 2002 10:24:13 GMT<br />Server: Apache/1.3.22 (Unix) (Red-Hat/Linux)<br />Connection: close<br />Transfer-Encoding: chunked<br />Content-Type: text/html; charset=iso-8859-1<br /><br />The exploit then scans the reply for the "Server:" string. If the reply starts with Apache, the exploit judges the target to be a candidate for exploitation.<br /><br />The exploit also appears to contain a number of peer-to-peer features, which would allow it to communicate with a network of other infected hosts. This would allow the attacker to control a large number of infected hosts in a future DDoS attack.<br /><br />Symantec Security Response<br />The initial analysis of the Apache/mod_ssl Worm by the Symantec DeepSight Threat Management System team indicates it is using the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow vulnerability to propagate. This vulnerability consists of a buffer overflow in vulnerable versions of the OpenSSL engine, which allows an attacker to execute arbitrary code on the server. The buffer overflow exists in the code that handles keys sent by clients. A malicious client can send a malformed key, allowing the attacker access to sensitive memory areas.<br /><br />Patches are available for numerous operating systems and engines. The authors of the OpenSSL software have released a new version, 0.9.6e, which corrects the issue. Since the release of 0.9.6e, the authors have released a number of versions that incorporate this patch and fix other issues. Currently, the most recent version is 0.9.6g.<br /><br />A workaround solution has been suggested to safeguard against this exploit:<br /><br />If administrators are unable to install the patch, it may be possible to disable the SSL engine in the Apache Web server. This can be achieved by modifying the configuration file to remove any configuration items regarding SSL configurations. This includes, but is not limited to:<br /><br />"LoadModule"<br />"AddModule"<br />"Listen 443"<br /><br />directives in the configuration file. Symantec recommends that administrators keep a backup copy of the configuration file, for comparison and recovery purposes.<br /><br />Administrators may also disable the use of SSL version 2, which is the protocol containing the vulnerability used by this worm. Symantec recommends administrators consult their documentation for their particular product and distribution, but the following steps could prevent the use of the vulnerable SSLv2 cipher, while allowing the use of TLS or SSLv3.<br /><br />After making a copy of the configuration file for backup purposes, administrators can modify the "SSLCipherSuite" directive in the configuration file by either:<br /><br />Adding "!SSLv2" to the end of the directive<br /><br />Modifying the existing directive from "+SSLv2" to "!SSLv2"<br /><br />This can be tested using the "openssl s_client" utility, available with the OpenSSL package.<br /><br />Administrators can also modify the string identifying the server. Because this would change the return value in the "Server:" parameter, the exploit would not attempt to exploit and infect that host. This information can be found in the file "src/include/httpd.h". The following definitions state the vendor, product, and version number:<br /><br />#define SERVER_BASEVENDOR<br />#define SERVER_BASEPRODUCT<br />#define SERVER_BASEREVISION<br /><br />Once these definitions are changed to custom strings, the Apache server can then be recompiled and replace the current running binary.<br /><br />Removal Instructions<br />The worm can be killed using the Unix "kill" command, using the process id of the ".bugtraq process". The following three files can also be removed:<br /><br />/tmp/.uubugtraq<br />/tmp/.bugtraq.c<br />/tmp/.bugtraq<br /><br />Only the "/tmp/.bugtraq" file contains an executable binary of the worm. There does not appear to be any instructions allowing the worm to restart in the event of a system reset.<br /><br />NOTE: If you suspect that a system has been compromised, isolate the infected system(s) quickly to prevent further compromise of enterprise systems. Perform forensic analysis and restore the system from trusted media.<br /><br />Symantec Enterprise Solutions<br />The Symantec Security Response AntiVirus team has developed a signature for this worm, identifying it as the Linux.Slapper.Worm. Beta definitions are currently available via Intelligent Updater. LiveUpdate definitions will be available during the next regularly scheduled LiveUpdate release.<br /><br />CVE<br />The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0656 to the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability.<br /><br />This is a candidate for inclusion in the CVE list (
http://cve.mitre.org), which standardizes names for security problems.<br /><br />Credits<br />Symantec would like to thank Fernado Nunes for providing a copy of exploit code for analysis.
