OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
william_at_elan.net
Date: Fri Feb 07 2003 - 15:26:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    What about "8074e8d" and "8068a75"? I'v had somewhat similar issue I'v
    been dealing this week too. A customer runs their own custom httpd within
    their account and its not working properly. I'm seeing the following errors:

    Feb 4 13:50:31 server httpd[816]: Immunix SG 1.3 canary = aff0d died with
    cadaver 8074e8d in procedure strcpy.
    Feb 6 03:49:21 server kernel: Security: return onto stack running as UID 504,
    EUID 504, process serve_bulletin:24685
    Feb 6 05:23:57 server httpd[19273]: Immunix SG 1.3 canary = aff0d died
    with cadaver 8068a75 in procedure strcoll.

    This customer has their custom httpd which uses SSL, DAV and their own
    custom module (they'v yet to let me see the c code for that module which
    I suspect is the problem). But still it should not die, they'v uploaded
    not only httpd but with it openssl & complete perl lib directory and it
    should work just fine in my opinion (fully redhat 7.1 compatible as is
    claimed) but it does not and httpd dies constantly. I'm suggesting recompile
    on my system, any idea if that would help or otherwise harm?

    On Fri, 7 Feb 2003, Crispin Cowan wrote:

    > nero one wrote:
    >
    > >The server is in a data center, so i can't really take it down and start it 'offline' so to speak.
    > >
    > >Netstat currently shows no abnormal connections.
    > >
    > >Removing SSL support from the server lets httpd restart. Putting it back in gives me that message
    > >again.
    > >
    > >Seems that SG thinks that SSL is being bad right now...
    > >i have no idea how to go about troubleshooting this issue.
    > >
    > >leads, anyone?
    > >
    > Nero posted some debugging text to us privately, to wit:
    >
    > httpd[28923]: Immunix SG 2.0 canary = aff0d died with cadaver 80aff0d in procedure
    > SSL_CTX_set_tmp_rsa_callback.
    >
    > This looks like StackGuard detecting an actual overflow or some other
    > kind of corruption error in your httpd/ssl software. The canary word is
    > supposed to be "0x00aff0d" and something changed it to "0x80aff0d".
    > Because it is happening every time you start up, it probably is not an
    > actual intrusion, but it probably is a software bug in some of the
    > software you are using.
    >
    > Workaroud: try compiling your SSL module without StackGuard. This leaves
    > you vulnerable in the obvious ways, and your bug is still there, but now
    > you're oblivious to it :-) Not the best situation, but better than a
    > down web site.
    >
    > Fix: try to figure out what bug in your software is throwing stray
    > pointers or overflows around that is causing corruption. The bug here is
    > in the application software, StackGuard is just detecting it and
    > bringing the application to a safe halt.
    >
    > Crispin
    >
    >

    _______________________________________________
    Immunix-users mailing list
    Immunix-usersmail.wirex.com
    http://mail.wirex.com/mailman/listinfo/immunix-users