Full Disclosure mailing list archives
No Subject
From: mitch_hurrison () ziplip com
Date: Mon, 20 Oct 2003 13:43:40 -0700 (PDT)
Hi Frank,
Okay, please show us in discussion where it is exploitable. No need for exploit code to feed the script kiddies, just convince me with an analysis.
I think you misinterpreted my argumentation. In my eyes anyone who is not independently capable of verifying the exploitability, or atleast devising the theory behind possible exploitation, of the ossh nul overflow is a "script kiddie". As you so aptly put it. Now if you're somewhat at home in heap mismanagement bugs you should know that this issue, provided you have a favourable heap layout (hooray for memory leaks), is exploitable on atleast Linux. That's as far as I'll go. Remember apache? One man's DoS is another man's remote. For god's sake even ISS believes the issue to be exploitable. And Duke may be alot of things, stupid he is not. (ok so maybe that's up for debate, hi Mark!) As far as the PAM issue goes, that's fucking trivial. Seems to me it's a lose-lose situation. Release the exploit (and with releasing the exploit I also mean giving full analysis of exploitability to people such as yourself) and people will whine about irresponsible disclosure. Don't release the exploit and people will whine that they don't believe it to be exploitable. How long do you think it will take for some fame seeking info-sec company to produce exploit code from a public analysis? My original point remains. There is no need for this exploit to be disclosed. And I think every ossh admin out there should count himself lucky that he's given the time to mend his servers. But do they use this time? No. They sit around bitching about not believing it can be exploited and will only get off their asses when the proverbial shit hits the fan. Now this behaviour is only fueled by uninformed openbsd developers trying to save face in calling it "just a dos". Now at the end of the day it's neither my duty nor my desire to release anything. I don't owe you shit. And I'm not about to post something that took alot of research just to make a moot point. Any admin who did not patch their servers using "oh it's just a DoS" as justification should be fired on the spot. Again, and this is getting tiresome, a bug was recognised to be a security issue. Security issues get a priority to patch. It'd be a different story if it wasn't published as being a security issue. So no, it's not my job to prove exploitability to you. It's your job to get off your ass and prevent me from exploiting you. Ofcourse that won't secure you from the plethora of bugs remaining in OpenSSH. Hype is just another form of FUD and people seem to be buying the Open* FUD without giving it any second thought. Pro-active security and all that muck no? With regards, Mitch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- No subject Pocjfr (Oct 13)
- Re: No subject Gregory A. Gilliss (Oct 13)
- <Possible follow-ups>
- No Subject mitch_hurrison (Oct 20)
- Re: No Subject Frank Knobbe (Oct 20)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Bradford Shedwick (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Paul Schmehl (Oct 21)
- Re: Re: No Subject Byron Copeland (Oct 21)
- Re: Re: No Subject Peter Busser (Oct 22)
- Re: No Subject Frank Knobbe (Oct 20)