OpenSSL version different in log and pkgtool

Alien_Hominid · 05-21-2007, 11:54 AM

If this doesn't work, grab the slackbuild and source of apache from 11. Modify slackbuild accordingly and try compiling yourself.

z-man5 · 05-21-2007, 12:30 PM

Drumz, I checked updates directory, but no newer versions of Apache, OpenSSL or ModSSL were released for 11.0.
I just checked the Extra folder and it doesn't seem to have anything that I need.

pkgtool shows openssl-0.9.8d-i486-1 and openssl-solibs-0.9.8d-i486-1.

Alien_Hominid, I was hoping someone would say "I have the same problem and it would be great if the Slackware team recompiled the necessary packages and put them into Updates directory"...

Alien_Hominid · 05-21-2007, 12:49 PM

Usually Pat does not release updates to stable branch (11) unless there are some security threats or bugs.
Please inform him about this issue and if it is serious, it will be fixed.
Current branch is for testing of newest packages and all updates firstly goes there.

z-man5 · 05-24-2007, 08:46 AM

I did get a response from Pat:

Quote:

I would do nothing. If you've applied all the security patches to
Slackware 11.0 then you're running openssl-0.9.8d regardless of what a
(possible?) typo in the logfile might say. nmap -sV localhost should
confirm this.

I run nmap, and it showed this:

Quote:

# nmap -sV localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-05-22 16:44 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: (...) closed ports
PORT STATE SERVICE VERSION
(...)
80/tcp open http Apache httpd 1.3.37 ((Unix) mod_ssl/2.8.28 OpenSSL/0.9.8b)
443/tcp open http Apache httpd 1.3.37 ((Unix) mod_ssl/2.8.28 OpenSSL/0.9.8b)
(...)
Nmap finished: 1 IP address (1 host up) scanned in 113.700 seconds

Also the "LoadModule ssl_module libexec/apache/libssl.so" file was modified prior to release of OpenSSL 0.9.8d:

Quote:

# ls -l /usr/libexec/apache/libssl.so
-rwxr-xr-x 1 root root 176616 2006-07-28 17:32 /usr/libexec/apache/libssl.so*

So I replied to him, but I'm about to go on a 2 weeks vacation and wanted to have this straightened out, so I followed your advice Alien and downloaded source for mod_ssl and compiled it.

Now it's logging version OpenSSL 0.9.8d:

Quote:

[23/May/2007 20:26:35 18205] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8d

And nmap shows it too:

Quote:

# nmap -sV localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-05-23 20:28 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: (...) closed ports
PORT STATE SERVICE VERSION
(...)
80/tcp open http Apache httpd 1.3.37 ((Unix) mod_ssl/2.8.28 OpenSSL/0.9.8d)
443/tcp open http Apache httpd 1.3.37 ((Unix) mod_ssl/2.8.28 OpenSSL/0.9.8d)
(...)
Nmap finished: 1 IP address (1 host up) scanned in 113.817 seconds

Do you know of any hacking tools that would allow testing the OpenSSL vulnerabilities prior to 0.9.8d?

So I'm a happy noob now, but something tells me that Slackware 11.0 is not a popular choice for Apache with OpenSSL?

Matir · 05-24-2007, 12:56 PM

FYI: Nmap only reports what the Apache banner reports, which would be whatever the logfile says as well.

rworkman · 05-24-2007, 01:24 PM

Code:

rworkman@cardinal:~$ ldd /usr/libexec/apache/libssl.so 
        linux-gate.so.1 =>  (0xffffe000)
        libssl.so.0 => /usr/lib/libssl.so.0 (0xa7ef5000)
        libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0xa7dbb000)
        libc.so.6 => /lib/tls/libc.so.6 (0xa7c8c000)
        libdl.so.2 => /lib/tls/libdl.so.2 (0xa7c88000)
        /lib/ld-linux.so.2 (0x75555000)
rworkman@cardinal:~$ ls -l /usr/lib/libssl.*
-rw-r--r-- 1 root root 394810 2006-09-29 02:49 /usr/lib/libssl.a
lrwxrwxrwx 1 root root     11 2006-12-29 17:21 /usr/lib/libssl.so -> libssl.so.0*
lrwxrwxrwx 1 root root     15 2006-12-29 17:21 /usr/lib/libssl.so.0 -> libssl.so.0.9.8*
-r-xr-xr-x 1 root root 252092 2006-09-29 02:49 /usr/lib/libssl.so.0.9.8*

In other words, it seems to me that regardless of what your logs are showing, you're using whatever is provided with the openssl package you have installed.

Alien_Hominid · 05-24-2007, 03:26 PM

There is backtrack: http://www.remote-exploit.org/backtrack.html