Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)

[Steve Grubb <sgrubb () redhat com>]

On Sunday 12 November 2006 11:20, Gadi Evron wrote:
> > merely point out the obvious...you have to either have privileges to
> > perform mount or physical access to the machine. If all these are is DoS
> > and you have physical access, why not just yank the power cord? Until an
> > exploit is written, these are just DoS crashes.
>
> DoS only? No public exploit? We heard that before. Sorry for being rude on
> this point, but we did.

I'm just wanting to see how you take advantage of this without root privileges 
or physical access to the machine. Yes, I have read the saying that a 
vulnerability is not an exploitable until one is written.

> Were you the one to find the bugs working with LMH,

I worked with LMH on fsfuzzer from March 5-8. The program was a great idea and 
started off as a 50 line shell script. My goal at the time was to get it to 
the point that it could create its own images so that it could be tested to 
see if there were any problems in the kernel. LMH had been playing with it 
before we met and had found an ISO9660 problem (and maybe some others). 
Anyways, during those 3 days the program was able to create its own 
filesystem images and became much more useful. At the time, only ext2/3, 
iso9660, and the msdos file systems worked. I tested those and found nothing 
interesting. (This was also back in 2.6.14 kernel days.)

This fall, I was curious how things were looking in the new 2.6.18 kernel and 
learned how to setup some more file systems and wanted to see if populating 
the image better and adding extended attribute operations would show new 
bugs. So, I added those to fsfuzzer. Sure enough there were new bugs I hadn't 
seen before. So, the next issue is how to give a corrupted image for someone 
to study and fix the problem. I added the code to let you replay the tests 
and got some more kernel developers involved since the kernel was not robust 
in the face of corrupt images.

> or did you find them on your own and kept them private to redhat only?

I found these bugs and filed bugzilla #'s 209907, 211237, 211668 before the 
month of kernel bugs was ever announced. I did mention to LMH that I was 
releasing a new version of fsfuzzer that did find and reproduce all these 
bugs and a few more that are not public.

> In my humble opinion, as an open-source related company, you may do well
> to try and see if you can work with the researchers rather than attack
> them. 

Sigh, these are bugs *I found* and we are getting people to fix these 
robustness issues. As for my response, how would you feel given the above? 

-Steve
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave