Re: David Litchfield talks about the SQL Worm in the Washington Post

["David Litchfield" <david () ngssoftware com>]

> Perhaps David can put together a longer message for Bugtraq and
> Full-Disclosure on his changing views of publishing proof-of-concept
> code for security vulnerabilities.

On analysis of the code of the Slammer worm it is apparent that my code was
used as its template.

It uses the same addresses as my code in terms of the import address entries
for GetProcAddress() and LoadLibraryA() in sqlsort.dll, it uses the same
address in the .data section of sqlsort.dll and uses the same address with
which to overwrite the saved return address on the stack. Further the worm
code uses the same short jump and has 8 NOPs in the same place as my code.
That's where the similarity ends, though. My code spawns a remote shell -
the worm contains none of this.

It also becomes apparent that whoever authored the worm knew how to write
buffer overflow exploits and would have been capable of doing this without
using my shellcode as a template. Having access to my code probably saved
them around 20 or so minutes - but they still would have been able to do it
without mine.

[Some have suggested that the worm used (a person known as) lion's code as a
template - in fact lion's code is an exact cut and paste of my code - so any
suggestions that lion or the Chinese group he belongs to are responsible are
probably erroneous. Also the suggestion that because there were 8 NOPs in
the worm code this "proved" it was a hacker known as nop (of the same
Chiense group) and this was his/her signature is also very wide of the
mark - the presence of the NOPs is simply as a result of my code.]

Some will ask why did I ever release sample exploit code.

The main reason is an educational one. I presented a paper and talk on this
particular problem at the Blackhat Security Briefings (www.blackhat.com) in
August of 2002. People who attend such conferences go with the expectation
that they will get "up to the minute" and pertinent lectures. I feel that,
as one of the regular speakers at Blackhat, I should deliver the best speech
I can with as much information, to ensure that both the attendees and the
organizers get what they want. As part of my talk I published my shellcode
that demonstrated that this was a critical issue and should be patched at
all costs.

Now with that said, and in the light that someone has taken my code and put
portions of it to nefarious purposes, I have to question the benefit of
publishing sample code. How much "good" was acheived by publishing the code
and how much "bad" came out of it. Normally the good, by far, outweighs the
bad - but there are infrequent cases like we have all just experienced,
where perhaps the bad outweighs the good. Looking for the silver lining in
the dark cloud of slammer, though, we know now that there are considerably
more patched SQL Servers than there were before the weekend - and this is a
good thing.

[It would be good to see how many people patched this problem before and the
reason they did so - to see the break down of those who patched just because
there was one, those who patched because it was annouced as critical and
those who patched because of my paper. And those that did not patch - did
they know a patch needed to be applied, did they hear about the patch and
not understand the gravity of the problem. If were ever to solve the
"patching" problem we really need data on this stuff.]

But then what about the future? We often forget that our actions online can
have very real consequences in real life - the next big worm could take out
enough critical machines that people are killed. A massive failure of the
emergency services computers such as 911/999 could result in someone's
death - and I don't want to feel that I've contributed to that.

With this in mind I am questioning the benefits of publishing proof of
concept code. I am due to present a paper on the remotely exploitable buffer
overrun in the Microsoft Locator service at Blackhat this February but
should I then also publish the code used to demonstrate the problem? Should
I even be discussing the problem in a public arena?

Some will argue that full disclosure is a good thing. Others will abhor it.
There is no one correct answer - it must be a personal decision and for the
moment I am undecided.

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/