Dailydave mailing list archives
RE: Microsoft letdown day
From: "Altheide, Cory B. (IARC)" <AltheideC () nv doe gov>
Date: Wed, 12 Jan 2005 09:25:41 -0800
The thing I wonder about is how these loose definitions of "Remote" and "Vulnerability" would have changed the outcome of the "qmail security challenge". http://web.infoave.net/~dsill/dave/qmail/qmail-challenge.html I can send the administrator an email THROUGH QMAIL telling him to set up a UID 0 account for me, BAM! REMOTE ROOT. -- Cory
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Aleksander P. Czarnowski Sent: Wednesday, January 12, 2005 8:35 AM To: dailydave Subject: RE: [Dailydave] Microsoft letdown day We're living in a strange world. Since DJB students advisory I am scared of running nasm - good thing I am using masm32 on Windows system - DJB and his students can't get me remotely any time soon ;-) However one remote thing happened - a lot more people now know about DJB's security mailing list. He's advertising genius. Now I wonder how this bug will influence OpenBSD "Only one remote hole in the default install, in more than 8 years!" slogan: 010: RELIABILITY FIX: January 10, 2005 A bug in the tcp(4) stack allows an invalid argument to be used in in calculating the TCP retransmit timeout. By sending packets with specific values in the TCP timestamp option, an attacker can cause a system panic. After all you can have a remote vulnerability even after you disable (almost) every service (knowing how buggy those services plus kernel are). Just my 2 cents, Cheers, Alex Czarnwoski AVET INS
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Microsoft letdown day Dave Aitel (Jan 12)
- Re: Microsoft letdown day Florian Weimer (Jan 12)
- Re: Microsoft letdown day Jeremy Kelley (Jan 12)
- <Possible follow-ups>
- RE: Microsoft letdown day Maynor, David (ISS Atlanta) (Jan 12)
- RE: Microsoft letdown day Aleksander P. Czarnowski (Jan 12)
- Re: Microsoft letdown day Florian Weimer (Jan 12)
- RE: Microsoft letdown day Altheide, Cory B. (IARC) (Jan 12)