Apache_mod_ssl Worm Alert

Reference
Bugtraq ID 5363, Subj: OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability

Risk Impact
High

Affected Components

• Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23, 1.3.26 .
  
  
• SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
  
  
• Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
  
  
• Slackware: Apache 1.3 26 .
  
  
• Debian: Apache 1.3.26
  
  

Overview
The Symantec DeepSight Threat Analyst Team has learned of the existence of a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow vulnerability, targeting Apache Web servers hosted on various Linux platforms.

This also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a Distributed Denial of Service (DDoS) network. To perform these activities, the exploit code listens on UDP port 2002.

The exploit further exhibits worm behavior in that indications are that, once it is setup, it scans and attempts to propagate by infecting other vulnerable systems.

It is confirmed through various sources that this worm is in the wild and actively attacking other servers. Over 3500 IP addresses have been recorded as being the source of scanning and associated activity, according to DeepSight Threat Management System data and other sources.

Details
The exploit code analyzed by the Symantec DeepSight Threat Analyst Team targets the Apache Web server on a number of Linux operating system distributions, including versions of RedHat, Slackware, Debian, SuSE, and Mandrake. By sending a malformed client key, the exploit opens a shell on the client machine, which is then used to upload the exploit source code in a uuencoded format. Using the same shell, it then uudecodes and compiles the source and runs it with an IP address as a parameter.

Once certain pre-conditions are met, the exploit appears to scan and target vulnerable machines. It scans for vulnerable machines in the following /8 networks:

3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 80, 81, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239

When performing the scanning, the worm first connects to port 80 of a target machine, to determine if it can communicate to that port. It then sends the following request:

GET / HTTP/1.1\r\n\r\n

Since this is an invalid HTTP 1.1 request, it is missing the "Host:" parameter, a typical Apache server will respond with something similar to the following:

HTTP/1.1 400 Bad Request
Date: Fri, 13 Sep 2002 10:24:13 GMT
Server: Apache/1.3.22 (Unix) (Red-Hat/Linux)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

The exploit then scans the reply for the "Server:" string. If the reply starts with Apache, the exploit judges the target to be a candidate for exploitation.

The exploit also appears to contain a number of peer-to-peer features, which would allow it to communicate with a network of other infected hosts. This would allow the attacker to control a large number of infected hosts in a future DDoS attack.

Symantec Security Response
The initial analysis of the Apache/mod_ssl Worm by the Symantec DeepSight Threat Management System team indicates it is using the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow vulnerability to propagate. This vulnerability consists of a buffer overflow in vulnerable versions of the OpenSSL engine, which allows an attacker to execute arbitrary code on the server. The buffer overflow exists in the code that handles keys sent by clients. A malicious client can send a malformed key, allowing the attacker access to sensitive memory areas.

Patches are available for numerous operating systems and engines. The authors of the OpenSSL software have released a new version, 0.9.6e, which corrects the issue. Since the release of 0.9.6e, the authors have released a number of versions that incorporate this patch and fix other issues. Currently, the most recent version is 0.9.6g.

A workaround solution has been suggested to safeguard against this exploit:

If administrators are unable to install the patch, it may be possible to disable the SSL engine in the Apache Web server. This can be achieved by modifying the configuration file to remove any configuration items regarding SSL configurations. This includes, but is not limited to:

"LoadModule"
"AddModule"
"Listen 443"

directives in the configuration file. Symantec recommends that administrators keep a backup copy of the configuration file, for comparison and recovery purposes.

Administrators may also disable the use of SSL version 2, which is the protocol containing the vulnerability used by this worm. Symantec recommends administrators consult their documentation for their particular product and distribution, but the following steps could prevent the use of the vulnerable SSLv2 cipher, while allowing the use of TLS or SSLv3.

After making a copy of the configuration file for backup purposes, administrators can modify the "SSLCipherSuite" directive in the configuration file by either:

1. Adding "!SSLv2" to the end of the directive
   
   
2. Modifying the existing directive from "+SSLv2" to "!SSLv2"
   
   

This can be tested using the "openssl s_client" utility, available with the OpenSSL package.

Administrators can also modify the string identifying the server. Because this would change the return value in the "Server:" parameter, the exploit would not attempt to exploit and infect that host. This information can be found in the file "src/include/httpd.h". The following definitions state the vendor, product, and version number:

#define SERVER_BASEVENDOR
#define SERVER_BASEPRODUCT
#define SERVER_BASEREVISION

Once these definitions are changed to custom strings, the Apache server can then be recompiled and replace the current running binary.

Removal Instructions
The worm can be killed using the Unix "kill" command, using the process id of the ".bugtraq process". The following three files can also be removed:

/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq

Only the "/tmp/.bugtraq" file contains an executable binary of the worm. There does not appear to be any instructions allowing the worm to restart in the event of a system reset.

NOTE: If you suspect that a system has been compromised, isolate the infected system(s) quickly to prevent further compromise of enterprise systems. Perform forensic analysis and restore the system from trusted media.

Symantec Enterprise Solutions
The Symantec Security Response AntiVirus team has developed a signature for this worm, identifying it as the Linux.Slapper.Worm. Beta definitions are currently available via Intelligent Updater. LiveUpdate definitions will be available during the next regularly scheduled LiveUpdate release.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0656 to the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Credits
Symantec would like to thank Fernado Nunes for providing a copy of exploit code for analysis.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.