lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: ka at khidr.net (Ka)
Subject: Shiver me timbers.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Dave,

please let me post this private question to the list,
it's part of the current discussion and the necessity
for open-disclosure.

At Montag, 19. August 2002 22:59 Dave Ahmad wrote:
> >[Ka:]I'm appreciating this list very much, in fact after recognizing
> >that for example bugtraq is withholding critical information
> >often for weeks, I
>
> [Dave:] Often for weeks?
> I am very interested in knowing when this has occured.  
> Care to cite some occasions?

On the 15th of May Dustin Childers reported a DOS bug
in Qpopper in bugtraq
	Date: 15 Mar 2002 01:51:10 -0000
	From: Dustin Childers <dustin@....org>
	To: bugtraq@...urityfocus.com
	Subject: Bug in QPopper (All Versions?)

The following discussions among the qpopper developers
centered mainly about the question which OS might
be vulnerable. This discussion was mystified, because
most members of the list did not have the actual exploit
available (a CPU-hog after sending a very long string
AND then disconnecting). Most of them just tested
the long string while keeping the tcp-connection open
and therefore erronously believed their systems
to be "not vulnerable".

I send some postings immediatedly to bugtraq, trying
to circumvent the problem -- rather ineffective and
faulty, but nevertheless my postings have been withheld
by the buqtraq editors. At that time questions regarding
that DOS have been seen by me in buqtraq, but no relevant
info made it into the list. Only Dustin Childers himself
put information about the vulnerable OSs on his site,
but buqtraq kept silent and thus fostered the illusion,
that only rare and special OS might be vulnerable.

The Qpopper community (Clifton Royston) created a patch 
for that flaw within days

	Date: Sun, 17 Mar 2002 14:18:12 -1000
	From: Clifton Royston <cliftonr@...a.net>
	To: Michael Zimmermann <zim@...aa.de>
	Cc: Subscribers of Qpopper <qpopper@...ts.pensive.org>,
		dustin@....org

and even provided an rpm with the patched program (Kenneth Porter)

	Mon, 18 Mar 2002 08:50:16 -0800 (PST)
	Subject: Re: Additional patch - should help "bulletproofing"
	From: Kenneth Porter <shiva@...l.com>
	To: Subscribers of Qpopper <qpopper@...ts.pensive.org>

But as the vendor Qualcomm lacked the manpower to address
the problem directly (Qpopper had been given into the open source
earlier, and Qualcomm had only one man for the product, I think),
the whole community waited for the official release, which came
on Fri, Apr 12, 2002 at 05:03:38PM -0700, 
	Randall Gellens wrote:
	Qpopper 4.0.4 (final) is available at 
	<ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>.

with the following change list:

	Changes from 4.0.3 to 4.0.4:
	----------------------------
	1.  Fixed DOS attack seen on some systems.
	...


These "some systems" included all linux distros, if I
remember correctly -- all back releases up the the
newest -- and some other NIXes plus M$-Windoze, Apple, 
and so on, practically every OS on which Qpopper runs
except BSD (due to BSD's different hup-signal handling).
And all newer qpopper versions.

With the xploit (a one-liner shell-script) I could bring
an empty server to it's knees within 10 seconds 
(allthough the attacking IP would show up in the inetd-logs, 
because POP3 requires to establish a tcp-ip connection 
of course).

With a handfull of spare rooted servers and some hours
I could have made a DOS-party on 15% of all POP-servers
of the world (or how many Qpopper installations are there?).


Please understand me correctly: I'm not against the withholding
of that xploit until the new unofficial patch-version was 
available on the 18th of March. But the weeks afterwards
were just "politeness" towards Qualcomm. And in these weeks
where the public was left unaware of the severity of the
bug even a non-programmer could've figured out the xploit
by himself (and in fact, that was done by simakin@....peterstar.com
and published on Fri, 22 Mar 2002 11:32:41 +0300

	perl -e '{print "A"x"2049"}' | nc my.pop3.host 110


But we simply kept quiet in public.
Not really suppressing the information totally, but playing
it down with a smile and the phrase "only on some systems"
or not answering questions about it at all.
A concert of silence from 18th of March to 12th of April.
I bet my bugtraq postings have not been the only qpopper
posts regarding that problem to be delayed and/or rejected 
during that weeks.


Greetings
Ka
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9YXVk72vu22ltWBERAusmAJ9yS8XtZRs4YR7Xk2A4AVbguxAeiwCcC7w0
VfnQrbmq1aBoU9qeqzc3eYU=
=HQjN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ