Re: oooh, isc2 gets p0wned

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Sunday 06 June 2004 16:41, you wrote:
> Then you said you wanted them to release an advisory more quickly, since
> you had "public  traffic logs of the discovery"
The bug was found during a competition at Hack in the Box conference, 
Microsoft was notified at the time (since they had a rep there), and the 
traffic logs/info on the find was available to the attendees. 

> Then they said no, and if you  release early, reminded you that their
> policy is to only give credit  to people who do whatever they tell them 
> to, which in this case  involved not saying anything.
Something to that effect, I can forward you some of the original messages 
if you are interested. The conversation went into a personal mode towards 
the end and it probably wouldn't be appropriate to a public archive ;)

> Care about what? Maybe you should post the emails themselves, cause
> I'm really confused at this point.
About being "credited", and as you can see, I wasn't, and the information 
on the other bug never became public. Part of this had to do with 
Microsoft Malaysia persuading the HITB guys to not release according to 
their schedule, even though that was the original plan (even if limited 
on details). By the time they got their act together for the release, the 
bug was public, and I had gotten sick of dealing with Microsoft. 

> The code for a wins.exe overflow which gets remote root, right?
Not the working exploit, just the script which triggered the stack 
overflow. Exploiting it on 2003 was annoying and Microsoft couldn't 
reproduce the issue with 2000 and NT, this probably contributed to the 
inaccurate wording in their advisory.

> Standard practice for any company is to assume it's not exploitable if
> there's any possibility at all that it's not exploitable.
Depends on the company, I think we have seen a shift in this area over the 
last couple years. It seems like most large vendors have been bit the ass 
too many times to assume non-exploitability. At the same time, other 
companies have reverted to marketing spin to downplay issues to their 
clients. This is especially true for companie which treat product 
security as a PR issue.

> So there's two vulnerabilities in Wins.exe fixed by MS 04-006 and only
> one of them was reported in the advisory, and you didn't bother to
> tell anyone about your discovery, so no one knows you found the other
> one, although it was easier to exploit than the one Qualys found
Thats accurate, I haven't had time to finish up the exploit code, its 
really finicky and tends to only end up in a reliable place right after 
the system is booted. Additionally, the Jet DB driver used to store the 
new registrations is prone to other bugs, many of them length and format 
related. Lack of interest/time has kept me from digging any deeper, 
although its probably time to release the cheesy fuzz scripts at the 
minimum. Rumor has it that some other people ran into the same when 
researching the issue reported by Qualys, odd that it hasn't surfaced 
already. The nice thing about the attack is it can be launched against 
the broadcast address. Then again, at the rate eEye is releasing, any new 
remote NetBIOS related bugs are obsolete in two months anyways :)

-HD



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave