[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030109035411.82866.qmail@web14707.mail.yahoo.com>
From: anoncoder at yahoo.com (Jack Ahz)
Subject: Exploit for auth2-pam for vuln linux opensshd
Dear reader,
Yours truly would like to note the following:
Globalintersec Research is a hoax. Unbelievably, the only thing that makes me
angrier than a 0day factory like ISS, which churns out advisory after advisory
due to the unethical and illegal auditing of proprietary source code found on
irc and plan9.hert.org, is a security company consisting of complete morons
that is able to make money (SOMEHOW) by completely fooling the public.
KF, of GLOBALINTERSEC SECURITY, THIS MEANS YOU!
Note: At least ISS uses illegal means and genuine skills to audit proprietary
source code and find real, useful bugs.
Let's think about it. KF MADE THIS POST TO VULN-DEV:
-----------------------------
My question is does anyone know how to programatically do this? Do i
need to make use of bit shifting or something? I need only a program to
print the list to the screen or something simple. Example output would
be ...
AAAA
BBBBB
....
AAAB
AAAC
...
and so on but ONLY unique posibilities.
-KF
-----------------------------
NOTE THAT NOT EVEN THIS QUESTION WAS ERROR-FREE (THE SECOND ENTRY HAS 5 B'S)
So are we to believe that somebody lacking the most basic C-skillz is able to
craft an exploit for opensshd for linux?
Is it not apparent that if this bug were easily exploitable, SOME FUCKING IDIOT
would have already posted the exploit to packetstorm, like MR ZENITH PARSEC?
KF continues in his vuln-dev post,
"Hah this is great... and to think a simple question like that stumped my
local java AND c++ instructors. "
Where did you go to school, the University of Swaziland?
Anyhow, I am straying off topic. Let not my hate of the KF cloud my message.
The point is this:
I have looked through the auth2-pam.c file a while ago, and determined that the
sshd daemon was certainly not exploitable in the way which was described in the
advisory, due to certain counter variables and corruption of the heap. Now,
this was a while ago, and I'm only going by what my own memory serves up.
The same goes for the FAKE GLOBALINTERSEC sudo advisory. It is quite apparent
that the gdb output was fabricated. Running neither one of those programs with
a few simple command will cause some textbook heap corruption scenario where
the malloc chunk headers are 'merely overwritten' by a long string of A's. Even
Mr. FC could have crafted up an exploit in less than 8 months IF THAT WERE THE
CASE.
Solution:
KF[GLOBALINTERSEC], admit to the world that you are a fraud and faked gdb
output in an effort to gain fame. At least I applaud for not signing your name
as 'KF' to your advisories. Globalintersec would have certainly been out of
business by now if that were the case.
If KF admits he is a liar, this will all stop.
Potential Counter-Solution:
Say KF does not admit he is a fraud. I will be forced to go back through a pile
of old worthless code to show that his exploitable condition is impossible
(which is not to say at all that exploitation in some way is impossible).
-- END --
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Powered by blists - more mailing lists