| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: peter at adamantix.org (Peter Busser) Subject: No Subject (re: openssh exploit code?) Hi! > As far as it being "easy" to exploit. No it isn't. You have to > abuse a lesser issue, a memory leak to be more precise, to get > a heap layout that will allow you to survive the initial memset > without landing in bad memory. Now without going into details > anyone who manages to survive the initial memset should be able > to debug the crash to the point of exploitation. This is managable > on atleast Linux IA32 systems. > There is no need for anyone to release this exploit. It will change > nothing about the fact that you need to upgrade your daemons. It > will change nothing about the bugdetails already published. There > is no reasoning for it other than "but I want to learn how to do it". > And sorry but that's just not good enough to warrant the mayhem that > will ensue when an exploit like this is released. I think you are right here. Having the exploit doesn't make the bug more or less exploitable. I'm really impressed that people are able to exploit such a bug. However, it still makes me wonder: What to do about this kind of problems? Patching OpenSSH is one thing of course, but there are bound to be more problems like this that are not known at this moment. Would it be sufficient to tighten up the malloc implementation? Or is more than that needed? > Now on a larger scale, I think it's rather foolish to cop an attitude > that assumes anything that doesn't exist in the public eye isn't > possible. It reeks of the same arrogance I'm accused off. Is it > arrogant to step forward to try and explain why noone who managed > to exploit ossh is willing to step forward? Maybe it is. No that is not arrogant. But so far there have been personal attacks on Theo de Raadt by someone who calls himself ``Theo rapist'' and many accusations about bug ridden privsep code and what not. Big words, but without any technical details. Or at any technical explanation for that matter. People on this list are simply trying to figure out wether this is a troll (or FUD) or not. At least that is my impression. Words are cheap, it is proof that counts. A working exploit is of course the ultimate proof, that's a fact. Therefore it shouldn't be surprising that people ask for exploit code. If you have such a code, but do not want to release it, fine. I could claim to have such an exploit too. But I wouldn't be able to explain any technical details about it. So I guess that disclosing (some) technical details about it is the second best proof. > Fact > remains that exploiting this issue requires creativity beyond > the pre-chewed papers. And that's why you're not seeing the regular > array of mediocre "hackers" producing exploit code. Right, it is very impressive. > I'd like to > think that anyone who was capable of writing this exploit also > recognises the potential impact of releasing it. True and I think it is good that you are so conscientious about it. > I'm talking about the apaches, the openssh's and the ms rpc's. Time and time > again it's become apparent that full disclosure simply does not > function. I think people take ``full disclosure'' too literally or too seriously. There is a need for more knowledge about why and how certain bugs are exploitable. Working exploits are one way to distribute this knowledge. But IMHO it is more useful to share technical analyses of the problems and ways to prevent such problems from happening again than exploit code. > And allthough I realise that there will always be people supporting > full disclosure, I think even with the disclosure of vulnerability > information releasing exploits is something that's not justifiable > in any way. Agreed. > There is simply no need for exploits, especially not one that would > affect people and nations around the globe. You have to look beyond > your own little egocentric world of friendly exploit dev and "but it's fun", > and take a look at the bigger picture. Agreed. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/
Powered by blists - more mailing lists