lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <006c01c238ec$da49c460$6aa3869f@vitalograph.ie>
From: fulldisclose at uuuppz.com (James Martin)
Subject: it's all about timing

I think many if not most of us on this list who have produced
advisories/exploits have experienced the fustration associated with the
response from some vendors. I had to explain how serious a buffer overflow
was to the author of mIRC, after several emails the vendor agreeded to fix
the problem in the next version. At this time my exploit writing skills were
in their infancy, I did not have a working exploit so I accepted this.

Two months later (I had got distracted by real work et al) I produced a
working exploit and informed the vendor. It was another two months before
the vendor provided a fix, I waitted until they released it before I
released my exploit code. The new release was a major version upgrade, as
you can imagine this felt like they had played me to keep their existing
development schedule. Of course I cannot accuse them of this, but it
certainly felt like they had. To this day they have not publically
acknowledged the existance of the hole in all versions prior to 6.00.

However Dalnet, IRCNet and many other networks all have warnings advising
users to upgrade. Also it was covered by news.bbc.co.uk, newsbytes.com, cnet
and many other news sites. I cannot understand their reasons for this, they
obviously feel  publically admitting their mistake and giving there users a
strong warning to upgrade is not good PR.

I estimate still nealry 50% of mirc users are running v5.91 and lower. This
figure was attained from a CTCP version of #chatzone on dal.net. This is
after 3 versions being released sequentially since the disclosure. I
personally don't feel the vendor has made an appropriate effort to protect
its userbase.

On top of this, I was astonished at how so many people assumed that because
my proof of concept code only lauched calc.exe, this wasn't a dangerous
hole! I'm seriously considering making my next do "command /c deltree /Y
c:\program files" (joke) :P, you have highlight the seriousness of the hole.
Its amazing how blatent it seems you need to be. I can't imagine releasing
an advisory without working exploit code.

In summary, I don't know the full circumstances with this Tru64 exploit but
it seems the hole should have been fixed by HP and they are just trying to
stifle efforts to get them to fix it. I wonder how long it will take for a
fix to arrive now? (or has it already?). I'd much prefer working exploit
code, and an opertunity to fix any system under my control which would be
effected, than secrecy a with the chance that someone else has wirtten an
exploit which is circulating in the underground.

Regards
James




----- Original Message -----
From: "Dave Killion" <Dkillion@...screen.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, July 31, 2002 10:59 PM
Subject: RE: [Full-Disclosure] it's all about timing


> Florin,
>
> I agree with you completely.  From what I understand this vulnerability is
> about a year old, although I'm not knowledgeable enough to say that with
> authority.  If it's true, then I believe the 2-4 week requirement has been
> satisfied.
>
> -Dave
>
> *************************** NOTICE **************************
> Opinions expressed in this email are solely my own, and do
> not reflect the attitudes, policy, or opinion of my employer.
> *************************************************************
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ