Dailydave mailing list archives
Re: oooh, isc2 gets p0wned
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Sun, 6 Jun 2004 18:25:08 -0500
On Sunday 06 June 2004 16:41, you wrote:
Then you said you wanted them to release an advisory more quickly, since you had "public traffic logs of the discovery"
The bug was found during a competition at Hack in the Box conference, Microsoft was notified at the time (since they had a rep there), and the traffic logs/info on the find was available to the attendees.
Then they said no, and if you release early, reminded you that their policy is to only give credit to people who do whatever they tell them to, which in this case involved not saying anything.
Something to that effect, I can forward you some of the original messages if you are interested. The conversation went into a personal mode towards the end and it probably wouldn't be appropriate to a public archive ;)
Care about what? Maybe you should post the emails themselves, cause I'm really confused at this point.
About being "credited", and as you can see, I wasn't, and the information on the other bug never became public. Part of this had to do with Microsoft Malaysia persuading the HITB guys to not release according to their schedule, even though that was the original plan (even if limited on details). By the time they got their act together for the release, the bug was public, and I had gotten sick of dealing with Microsoft.
The code for a wins.exe overflow which gets remote root, right?
Not the working exploit, just the script which triggered the stack overflow. Exploiting it on 2003 was annoying and Microsoft couldn't reproduce the issue with 2000 and NT, this probably contributed to the inaccurate wording in their advisory.
Standard practice for any company is to assume it's not exploitable if there's any possibility at all that it's not exploitable.
Depends on the company, I think we have seen a shift in this area over the last couple years. It seems like most large vendors have been bit the ass too many times to assume non-exploitability. At the same time, other companies have reverted to marketing spin to downplay issues to their clients. This is especially true for companie which treat product security as a PR issue.
So there's two vulnerabilities in Wins.exe fixed by MS 04-006 and only one of them was reported in the advisory, and you didn't bother to tell anyone about your discovery, so no one knows you found the other one, although it was easier to exploit than the one Qualys found
Thats accurate, I haven't had time to finish up the exploit code, its really finicky and tends to only end up in a reliable place right after the system is booted. Additionally, the Jet DB driver used to store the new registrations is prone to other bugs, many of them length and format related. Lack of interest/time has kept me from digging any deeper, although its probably time to release the cheesy fuzz scripts at the minimum. Rumor has it that some other people ran into the same when researching the issue reported by Qualys, odd that it hasn't surfaced already. The nice thing about the attack is it can be launched against the broadcast address. Then again, at the rate eEye is releasing, any new remote NetBIOS related bugs are obsolete in two months anyways :) -HD _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- Re: oooh, isc2 gets p0wned ned (Jun 07)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned Halvar Flake (Jun 06)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- <Possible follow-ups>
- RE: oooh, isc2 gets p0wned Thor Larholm (Jun 07)