lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Jun 30 19:34:11 2005
From: toddtowles at brookshires.com (Todd Towles)
Subject: Publishing exploit code - what is it good for

 Erick,

How do you plan to mitigate known vulnerabilities in your network
without a POC? I guess you can just assume your systems are vulnerable
and then wait on the vendor to fix it...with your hands tied? I am sure
Microsoft will have that patch out next year for you. 

Exploit code is used by people to mitigate known vulnerabilities where a
patch isn't out yet. It protects people...but it does hurt people. So do
cars..so do guns. But pointing your gun (network) around blind (without
knowing if you are truly vulnerable) is not something a lot of people
want to do.

I have seen public exploit code force a company to fix the issue. You
are right, you have to assume blackhats have the exploit, do you not
want to same tool? To study to make a plan of blocking the attack before
a patch is released.

I remember a couple of IE vulns that were "patched" but security
researchers used modified public exploit code to show that only the
attack vector was patched, not the core problem. Forcing a company to
look deeper into the issue. Everyone is entitled to their own view, just
my 2 cents.

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of Erick Mechler
> Sent: Thursday, June 30, 2005 12:37 PM
> To: Joachim Schipper
> Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
> Subject: Re: [Full-disclosure] Publishing exploit code - what 
> is it good for
> 
> :: Blackhats may get along with only a handful of exploits, if they're
> :: willing to try to find targets to match their collection, but a
> :: pentester should have the collection to match the target.
> :: 
> :: This is doubly true if we're not talking about a dedicated 
> pentester,
> :: but about a sysadmin with a networking/security background 
> who likes to
> :: verify that the patches did, indeed, work.
> 
> To that I say let the people producing the patches deliver 
> the exploit code as a POC that the patches did, indeed, work. 
>  Releasing exploit code before the patch is released helps 
> nobody except the blackhats.
> 
> :: Also, exploits will be distributed, publicly or otherwise 
> - doing it in
> :: the open means we know what happens when.
> 
> You should, as an admin, assume that once a vulnerability is 
> released, the exploit has been too, whether you see it 
> attached to the vuln announcement or not.
> 
> Cheers - Erick
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ