-----BEGIN PGP SIGNED MESSAGE-----
TW-CA-2002-194-[CERT Advisory CA-2002-27 Apache/mod_ssl Worm]
- -------------------------------------------------------------------------------
TWCERT發布日期:2002-09-24
原漏洞發布日期:2002-09-14
分類: Gain Priviledge; Denial of Service
來源參考:CA-2002-27
- ------ 簡述 -------------------------------------------------------------------
CERT/CC 接獲會自我複製的惡意程式碼的報告,其利用了 OpenSSL 安全弱點 (VU#102795)
。這個惡意的程式碼稱之為 Apache/mod_ssl worm,linux.slapper.worm 和 bugtraq.c
worm。
- ------ 說明 -------------------------------------------------------------------
Apache/mod_ssl worm 是利用 VU#102795 中所描述 OpenSSL 安全弱點的自我複製的惡意
程式碼。
http://www.kb.cert.org/vuls/id/102795
此安全弱點曾在 CA-2002-23 "Multiple Vulnerabilities In OpenSSL" 中詳述過。
http://www.cert.org/advisories/CA-2002-23.html
雖然這個 OpenSSL server 的安全弱點存在於多個平台上,但 Apache/mod_ssl worm 似乎
只在 Intel 架構上使用 Apache 並啟用 OpenSSL 模組(mod_ssl)的 Linux系統上才有作用
。
Apache/mod_ssl worm 在 port 80/tcp 使用一個無效的 HTTP GET request 以掃瞄具潛在
弱點的系統。
GET /mod_ssl:error:HTTP-request HTTP/1.0
當偵測到 Apache 系統,會企圖經由 443/tcp 傳送攻擊程式碼給 SSL service。一旦成功
,便會複製惡意程式碼到受害的伺服器上,並嘗試編譯和執行。 若受到感染,受害的伺服
器便開始掃瞄別的主機,繼續散佈此 worm。
此外,Apache/mod_ssl worm 可以扮演攻擊的平台,藉由建立受感染主機的網路, 對其他
主機進行分散式阻絕服務攻擊(distributed denial-of-service (DDoS))。在感染的過程
中,攻擊的主機指示新感染的受害者在 2002/udp 上起始一個通訊給攻擊者,一旦此通訊
管道建立,受感染的系統便成為 Apache/mod_ssl worm 的 DDoS 網路的一部分。受感染的
主機即可與其他受感染的系統分享訊息,就像攻擊指令。如此一來,2002/udp 通訊可被攻
擊者用來當做受感染系統間的通訊管道來協調對其他 site 的攻擊。
識別受感染的主機
報告指出,Apache/mod_ssl worm 的原始碼放在受感染系統的 /tmp/.bugtraq.c。 它是由
gcc 編譯,以致可執行的二進位檔存放在 /tmp/.bugtraq; 因此,下列任一檔案出現在執
行 Apache 並啟用 OpenSSL 的 Linux 系統上,表示受到感染了。
/tmp/.bugtraq.c
/tmp/.bugtraq
在攻擊的探測階段,web 伺服器的記錄(logs)可能會出現
GET /mod_ssl:error:HTTP-request HTTP/1.0
注意,這個字串出現在 web 伺服器的記錄並不代表受到感染,只是受到一個受害系統探測
的證據。
CERT/CC 接獲的通報指出 Apache 系統可能隨後記錄與以下相似的訊息
[error] SSL handshake failed: HTTP spoken on HTTPS port; trying to send
HTML error page (OpenSSL library error follows)
[error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to
HTTPS port!?]
實際字串可能隨系統不同而改變,但一般都會有一個 OpenSSL library error,後面跟隨
"SSL handshake failed"。
發現主機在 2002/udp 傾聽(listening)或傳送資料也表示被 Apache/mod_ssl worm 所感
染。
偵測網路上 Apache/mod_ssl worm 的活動
依下列特徵,受感染的系統在網路上很容易被識別出來
* 探測 -- 掃瞄 80/tcp
* 增殖 -- 對 443/tcp 的連線
* 分散式阻絕服務攻擊(DDoS) -- 傳送或接收目的與來源 port 皆為 2002/udp 的資料。
這些資料流被當做受感染系統間協調攻擊其他系統的溝通管道。
此外,積極參與對其他系統做分散式阻絕服務攻擊(DDoS)的受感染系統可能使用不同的協定
(例如 TCP, UDP, ICMP)產生大量的攻擊流量。
- ------ 影響平台 ---------------------------------------------------------------
在 Intel x86 架構上執行 Apache 並使用 mod_ssl 存取啟用 SSLv2 的 OpenSSL 0.9.6d
或更早版本 的 Linux 系統。
- ------ 修正方式 ---------------------------------------------------------------
安裝修正程式
我們鼓勵所有執行 OpenSSL 系統的管理者重新檢視 CA-2002-23 與 VU#102795 中廠商
關於修正程式的建議
http://www.cert.org/advisories/CA-2002-23.html
http://www.kb.cert.org/vuls/id/102795
注意自從 OpenSSL 0.9.6e 開始已修正這個被 Apache/mod_ssl worm 利用的安全弱點
,撰寫此文時 OpenSSL 的最新版本是 0.9.6g,管理者可能希望升級到這個版本
http://www.openssl.org/source/
以下部分取自CA-2002-23
升級到 0.9.6e版的 OpenSSL
請升級 OpenSSL 到 0.9.6e 版來解決上述問題。網址如下:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt
在安裝修正程式或升級到 0.9.6e 版之後,任何使用 OpenSSL 或支援 SSL 及 TLS 服
務的應用程式都要重新編譯並且重新啟動,如此就能去除所有具有弱點的程式碼。
執行 OpenSSL pre-release 0.9.7-beta2 版本的主機可以升級到 0.9.7-beta3 版來修
正這些安全弱點。網址如下:
http://www.openssl.org/news/patch_20020730_0_9_7.txt
關閉 SSLv2
關閉 SSLv2 的交握(handshaking)可防止 VU#102795 被利用。CERT/CC 建議查閱
mod_ssl 關於此項目的文件,一種方法是將設定檔中 SSLCipherSuite directive 的
SSLv2 移作支援的 cipher,例如:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+SSLv2
允許 SSLv2 更改為
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
如此會關閉 SSLv2。注意 +SSLv2 與 !SSLv2 的改變!
然而,系統仍可能受到 CA-2002-23 中其他弱點的影響。
修復受感染的系統
假使您確認您管理的系統被感染了,請依以下文件內描述的方法進行:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
- ------ 影響結果 ---------------------------------------------------------------
受到 Apache/mod_ssl worm 感染表示遠端攻擊者可以 apache 使用者權限在受害系統上執
行任意程式碼。攻擊者可能為了取得 root 權限而隨即影響本地端,擴大權限的使用。 此
外,Apache/mod_ssl worm 的分散式阻絕服務攻擊(DDoS) 功能允許受害系統被用來攻擊其
他系統平台。
- ------ 連絡 TW-CERT -----------------------------------------------------------
Tel: 886-7-5250211 FAX: 886-7-5250212
886-2-23563303 886-2-23924082
Email: [email protected]
URL: http://www.cert.org.tw/
PGP key: http://www.cert.org.tw/eng/pgp.htm
===============================================================================
附件:[CERT Advisory CA-2002-27 Apache/mod_ssl Worm]
- - ----- 原文-------------------------------------------------------------------
CERT Advisory CA-2002-27 Apache/mod_ssl Worm
Original release date: September 14, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Linux systems running Apache with mod_ssl accessing SSLv2-enabled
OpenSSL 0.9.6d or earlier on Intel x86 architectures
Overview
The CERT/CC has received reports of self-propagating malicious code
which exploits a vulnerability (VU#102795) in OpenSSL. This malicious
code has been referred to as Apache/mod_ssl worm, linux.slapper.worm
and bugtraq.c worm.
I. Description
The Apache/mod_ssl worm is self-propagating malicious code that
exploits the OpenSSL vulnerability described in VU#102795.
http://www.kb.cert.org/vuls/id/102795
This vulnerability was the among the topics discussed in CA-2002-23
"Multiple Vulnerabilities In OpenSSL".
http://www.cert.org/advisories/CA-2002-23.html
While this OpenSSL server vulnerability exists on a wide variety of
platforms, the Apache/mod_ssl worm appears to work only on Linux
systems running Apache with the OpenSSL module (mod_ssl) on Intel
architectures.
The Apache/mod_ssl worm scans for potentially vulnerable systems on
80/tcp using an invalid HTTP GET request.
GET /mod_ssl:error:HTTP-request HTTP/1.0
When an Apache system is detected, it attempts to send exploit code to
the SSL service via 443/tcp. If successful, a copy of the malicious
source code is then placed on the victim server, where the attacking
system tries to compile and run it. Once infected, the victim server
begins scanning for additional hosts to continue the worm's
propagation.
Additionally, the Apache/mod_ssl worm can act as an attack platform
for distributed denial-of-service (DDoS) attacks against other sites
by building a network of infected hosts. During the infection process,
the attacking host instructs the newly-infected victim to initiate
traffic on 2002/udp back to the attacker. Once this communications
channel has been established, the infected system becomes part of the
Apache/mod_ssl worm's DDoS network. Infected hosts can then share
information on other infected systems as well as attack instructions.
Thus, the 2002/udp traffic can be used by a remote attacker as a
communications channel between infected systems to coordinate attacks
on other sites.
Identifying infected hosts
Reports indicate that the Apache/mod_ssl worm's source code is placed
in /tmp/.bugtraq.c on infected systems. It is compiled with gcc,
resulting in the executable binary being stored at /tmp/.bugtraq;
therefore, presence of any of the following files on Linux systems
running Apache with OpenSSL is indicative of compromise.
/tmp/.bugtraq.c
/tmp/.bugtraq
The probing phase of the attack may show up in web server logs as:
GET /mod_ssl:error:HTTP-request HTTP/1.0
Note that the appearance of this entry in a web server log is not
indicative of compromise, but is merely evidence of a probe from an
infected system.
Reports received by the CERT/CC indicate that Apache systems may
subsequently log messages similar to the following:
[error] SSL handshake failed: HTTP spoken on HTTPS port; trying
to send HTML error page (OpenSSL library error follows)
[error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
HTTP to HTTPS port!?]
Actual log entries may vary from system to system, but will generally
include an "SSL handshake failed" followed by an OpenSSL library
error.
Hosts found to be listening for or transmitting data on 2002/udp are
also indicative of compromise by the Apache/mod_ssl worm.
Detecting Apache/mod_ssl worm activity on the network
Infected systems are readily identifiable on a network by the
following traffic characteristics:
* Probing -- Scanning on 80/tcp
* Propagation -- Connections to 443/tcp
* DDoS -- Transmitting or receiving datagrams with both source and
destination ports 2002/udp. This traffic is used as a
communications channel between infected systems to coordinate
attacks on other sites.
Additionally, infected hosts that are actively participating in DDoS
attacks against other systems may generate unusually high volumes of
attack traffic using various protocols (e.g., TCP, UDP, ICMP)
II. Impact
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
III. Solution
Apply a patch
Administrators of all systems running OpenSSL are encouraged to review
CA-2002-23 and VU#102795 for detailed vendor recommendations regarding
patches.
http://www.cert.org/advisories/CA-2002-23.html
http://www.kb.cert.org/vuls/id/102795
Note that while the vulnerability exploited by the Apache/mod_ssl worm
was fixed beginning with OpenSSL version 0.9.6e, as of this writing
the latest version of OpenSSL is 0.9.6g. Administrators may wish to
upgrade to that version instead.
http://www.openssl.org/source/
The following is reproduced in part from CA-2002-23
Upgrade to version 0.9.6e of OpenSSL
Upgrade to version 0.9.6e of OpenSSL to resolve the issues
addressed in this advisory. As noted in the OpenSSL advisory,
separate patches are available:
Combined patches for OpenSSL 0.9.6d:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt
After either applying the patches above or upgrading to 0.9.6e,
recompile all applications using OpenSSL to support SSL or TLS
services, and restart said services or systems. This will eliminate
all known vulnerable code.
Sites running OpenSSL pre-release version 0.9.7-beta2 may wish to
upgrade to 0.9.7-beta3, which corrects these vulnerabilities.
Separate patches are available as well:
Combined patches for OpenSSL 0.9.7 beta 2:
http://www.openssl.org/news/patch_20020730_0_9_7.txt
Disable SSLv2
Disabling SSLv2 handshaking will prevent exploitation of VU#102795.
CERT/CC recomends consulting the mod_ssl documentation for a complete
description of the options but one method for disabling SSLv2 is to
remove SSLv2 as a supported cipher in the SSLCipherSuite directive in
the configuration file. For example:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+SSLv2
which allows SSLv2 can be changed to
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
which will disable SSLv2. Note the changing of +SSLv2 to !SSLv2.
However, systems may still be susceptible to the other vulnerabilities
described in CA-2002-23.
Recovering from a system compromise
If you believe a system under your administrative control has been
compromised, please follow the steps outlined in
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Reporting
The CERT/CC is interested in receiving reports of this activity. If
machines under your administrative control are compromised, please
send mail to [email protected] with the following text included in the
subject line: "[CERT#23820]".
_________________________________________________________________
Feedback can be directed to the author: Allen Householder
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2002-27.html
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
September 14, 2002: Initial release
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBPZB6pacyQYefg2/NAQHrpgf8CIO1jQSYrGWfYRAxROyoTWtF9ZgEIMTe
akMjB4f2OT9PyOlLh7GqDr18E2Je4G/KVBHC+FFPdlLbGcwShp2FrWro0f8wKzmn
//T+uW4rghpzjeKAhN0AiA3QR9Cy+czBYj0caaAHfLvdzGS+zb5yOs28f7FwPlb2
f2R/Il1AOu+fnmqFRRUBRuUBqKFMDPo/bciiCs+KfqoFI3JDHk3O2jD3BM+6Pqj3
j5v/XmN2z+4ckSj9w3KIh8KrLCVB3f9A8mgYNHTJcSjIJw4n0RZ+zVMDDw/za1VV
tfli1LjMMgnZwpwIYfEu//eSZDI08fErz8/DntkdNRTl+5aibErySA==
=o9ex
-----END PGP SIGNATURE-----
--
Taiwan Computer Emergency Response Team Security Advisory mailing list.
Mail to : [email protected] and include a line "subscribe advisory".
Please visit http://www.cert.org.tw/.
PGP key : http://www.cert.org.tw/eng/pgp.htm
--
@,
~ \ Bigfish
--
※Post by bigfish from 61-223-139-161.HINET-IP.
◢ ◣ ███◣ ▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂
█◢◣█ █ █ 風與塵埃的對話 BBS ˙ wdbbs.net
◥◤◥◤ ███◤ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇