lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200301301513.h0UFDglO031172@mailserver3.hushmail.com>
From: auto68182 at hushmail.com (auto68182@...hmail.com)
Subject: Re: David Litchfield talks about the SQL Worm in the Washington Post

-----BEGIN PGP SIGNED MESSAGE-----

> On analysis of the code of the Slammer worm it is apparent that my code was
> used as its template.
>
> It uses the same addresses as my code in terms of the import address entries
> for GetProcAddress() and LoadLibraryA() in sqlsort.dll, it uses the same
> address in the .data section of sqlsort.dll and uses the same address with
> which to overwrite the saved return address on the stack. Further the worm
> code uses the same short jump and has 8 NOPs in the same place as my code.
> That's where the similarity ends, though. My code spawns a remote shell -
> the worm contains none of this.
>
> It also becomes apparent that whoever authored the worm knew how to write
> buffer overflow exploits and would have been capable of doing this without
> using my shellcode as a template. Having access to my code probably saved
> them around 20 or so minutes - but they still would have been able to do it
> without mine.

[snip]


> Now with that said, and in the light that someone has taken my code and put
> portions of it to nefarious purposes, I have to question the benefit of
> publishing sample code. How much "good" was acheived by publishing the code

Given that you've just pointed out that your sample code probably only 'saved
them around 20 or so minutes' then there's no real need for public breast-
beating around this - as you've pointed out, your sample code was  by and
large irrelevant.

> But then what about the future? We often forget that our actions online can
> have very real consequences in real life - the next big worm could take out
> enough critical machines that people are killed. A massive failure of the
> emergency services computers such as 911/999 could result in someone's
> death - and I don't want to feel that I've contributed to that.

Don't worry David, I'm sure youre shellcode isn't about to endanger life
as we know it - worm authours who can't be bothered to spend the 20 minutes
will just go to the next hit on google for windows shellcode :)

> With this in mind I am questioning the benefits of publishing proof of
> concept code. I am due to present a paper on the remotely exploitable buffer
> overrun in the Microsoft Locator service at Blackhat this February but
> should I then also publish the code used to demonstrate the problem? Should
> I even be discussing the problem in a public arena?
>
No - because then our exploits will work longer in the wild and we can
break into more boxes.  Long live closed-source commercial operating
systems and security through obscurity.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl4EARECAB4FAj45QgQXHGF1dG82ODE4MkBodXNobWFpbC5jb20ACgkQBZyBylmlHvnE
VQCfZydqWug0HixRyCdP55sdv/+K5toAoKSqUVg9XQ4bLGu8CVm5B/WvdFjr
=uCPN
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ