Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unqualified Postings

From: Marc () EEYE COM (Marc)
Date: Mon, 1 Nov 1999 22:44:48 -0000

Stupid overflows?
Avirt, CMail, WFTPD, MSN Messenger(decrypt not overflow). Those are not
stupid overflows at all... in fact I was just auditing some government
servers a few weeks back that ran WFTPD. Yes these products can be
downloaded from download.com but that does not mean they are not widely
used. In fact i would think it is the opposite. Everyone can download the
newest software and send a bunch of A's to various commands... I agree. If
that is all it takes to overflow a some what widely used software product
then people need to know about it. The stupidity of the developer should not
necessarily reflect back to the person that found the hole. You point out
USSR as a "company" that pretends to do security research... they definatly
do security research and some fine research at that. The software they have
pointed out is actually in use by a lot of places. I've seen each of the
pointed out products on various clients I have audited. As far as exploits
go... exploits are already in the wild for each of these software products.
While you might be bothered by the few eMails USSR has released ... even if
one administrator has benefited by the posts that is enough.

As for exploits... Luck Martins and USSR definatly know what they are doing
and can/have coded exploits for the overflows.

Signed,
Marc
eEye Digital Security Team
http://www.eEye.com

P.S.
eEye released advisories on IMail and SLMail both which can be downloaded
from shareware sites. I guess we are just pretending to do security research
though.

-----Original Message-----
From: edi () GANYMED ORG <edi () GANYMED ORG>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Tuesday, November 02, 1999 5:18 AM
Subject: Unqualified Postings

|Hey,
|
|Is Bugtraq the right forum to report stupid
|overflows in yet another shareware win95 mail/ftp
|server, fetched from huge commercial crapware
|repositories like download.com / shareware.com / others?
|
|Everyone can download the newest software, connect
|and look what happens when you send 7321 a's
|-- voila, the next advisory to Bugtraq is done.
|
|Companies who pretend to do security research
|(like ussr) should do better than that (at least
|they switch their advisory template every second
|time).
|
|Where's the security risk? If the software is rarely
|used, if no exploits are widespread, why bother
|informing the security community about some buffer
|just because it's too small.
|
|Add an exploit if you want to gain popularity -
|I personally do not encourage such postings here.
|
|Edi
|
Previous By Date Next
Previous By Thread Next

Current thread: