The recent situation regarding the Apache Chunk Encoding Vulnerability has caused plenty of controversy in the security industry. It initially began with the community dislike of the release of information.
Then
it was debated as to weather or not this was really an exploitable
vulnerability. And after listening to all the debates about the chunk
encoding vulnerability, Gobbles "got fed up."
They released the vulnerability apache_scalp.c
because, "We had read too much bullshit from `experts' concerning the
bug, and their idiotic statements as to why it isn't exploitable, and
how lucky the world is because it wasn't exploitable..." Gobbles
Security released this exploit on
Wednesday to prove that people, even those in the security world, can
overlook the obvious.
According to Gobbles, there are exploits written for the other
platforms (linux, solaris, etc) however there is no need to release
them now. Now that everyone has a better understanding of the severity
of this problem, it is more likely that the appropriate actions will be
taken. They have not decided on a date as to when to release the rest
of the exploits.
Taking a look at the initial comments in the apache_scalp.c
source code, one can infer that with determination, any vulnerability
can become an exploit. Just another reminder to security experts not to
let your guard down.
EEYE has released a free tool to test your version of apache to see weather or not you need the patch. It is available here.
According to the apache_scalp.c source code, the following, at the very least, are exploitable:
Sun Solaris 6-8 (sparc/x86)
FreeBSD 4.3-4.5 (x86)
OpenBSD 2.6-3.1 (x86)
Linux (GNU) 2.4 (x86)
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
