Re: [SLUG] Looking for a firewall

From: thor_consulting@yahoo.com
Date: Fri Aug 15 2003 - 08:40:10 EDT


woo hoo!!!

----- Original Message -----
From: "Greg Schmidt" <slugmail@gschmidt.net>
To: <slug@nks.net>
Sent: Thursday, August 14, 2003 23:44
Subject: Re: [SLUG] Looking for a firewall

> This looks very promising. I'm giving it a try.
>
> When you say "NS servers" above, do you mean Netscape or did you
> fat-finger MS? (No pun intended.)

Netscape

> I had a touch of RPM dependency hell with beav, but I'm working on it.
> I tried jed, and obviously did something very wrong, ending up with a
> file that was several hundred bytes different in size and a segmentation
> fault. On a lark I thought I'd resort to my favorite, vi (vim), and for
> this purpose it looked about the same as jed. A few occurances of
> "trace", followed by about four occurances of "TRACE" and then a few
> more "trace" near the end of the file. The RFC says it is
> case-sensitive and UPPER-CASE, so I only changed the "TR" to "SP".
> After editing, the file is 1 byte larger, but it runs. apachectl start
> and stop seem to behave normally. httpd -l and -V show expected output.
> The java GUI on top of it runs fine.

i would highly reccomend using a "binary" editor and i've been using beav
for over 7 years now.

i had a minor dependency problem with libncurses.so.4 but i linked it to
libncurses.so.5.2 and installed the beav rpm with:

rpm -Uvh --nodeps beav-14.0.6-2.i386.rpm

the only hiccup i had was that beav didn't automagically refresh the screen
after a jump but ^L did the trick.

i'm glad you were able to hack the httpd binary but you should pick a
different five-letter replacement for TRACE (and keep it a secret) since the
box will be open to the world but record it somewhere so you can perform
"TRACE" requests if neccessary.

i'm a little worried about the 1 byte size diff - they should be exactly the
same size.

i don't think you should rely on this hacked binary.

i made at least 4 or 5 changes to TRACE strings that were whole and left all
the xx_TRACE_xx symbols at the end of the file alone - that is if your
binary is not stripped.

> Tomorrow I hope to get the not-so-PHB's guys to assess this crippled
> server's vulnerabilities again, with hope that we will be permitted to
> deploy it.

i would try it again but make sure the sizes match.

> You pulled off something that looked nifty to me right before the first
> html tag above. It looks like you were testing a web server's ability
> to respond to the TRACE method from the command line. Yeah, I was
> stupid enough to type "man GET" in hopes of learning what the -m switch
> did. How did you get the server to send that HTML error message?

Perl is your friend - 8^)

you should see the same from your hacked httpd binary - if not then
something might be amiss.

i haven't hacked anything other than the TRACE stuff in the httpd binary
that i remember but apache handles invalid requests like this with the
default 404 not found page.

i don't think i have altered the configuration either.

glad i could help...

thor (who's still unemployed - hint hint 8^)

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:07:13 EDT