lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <PUCODXAPBSCAEHELL5DWDSPUECMPBYIPGLCBIEP1@ziplip.com>
From: mitch_hurrison at ziplip.com (mitch_hurrison@...lip.com)
Subject: re: openssh exploit code?

Hi Attica,

That's a fine example of the whitehat leech mentality you're
displaying there. Why do you insist on being so dependent on
other people's findings? You're supposed to be some sort of
"security" expert no? Well here's an idea, how about you go
research the bug yourself and base any conclusions on exploitability
on that. Instead of begging the people who put in the work
to disclose their research. What is the added value of anyone
disclosing an exploit to you? 

A) You know the bug exists. 
B) You know it's probably a good idea to patch it. 

So I don't see what the big deal is with it being exploitable
or not. The fact that you don't have the skills to independently research and exploit the ossh nul overflow has no bearing on the
fact that you should patch your openssh daemons. So unless you
plan on owning a bunch of boxen mr. stackheap (!?) I don't see
why the likes of you would need any confirmation or even working
exploit code. Disclosing an exploit would at this stage only
cause alot of senseless hacking. 

But to put your mind at ease. Yes it is exploitable. Will you
get an exploit from me? Hell no. And I doubt that anyone who
put in the research time would just give up their work like
that.

There is absolutely no justification for the public disclosure
of an exploit for this issue. It's been recognised as a security
issue and people have been advised to patch. Again, putting an
exploit in the hands of the greedy and clueless is not something
I would want to be responsible for. And I doubt any sensible
person would release an exploit for this issue. Be it only because
successfull exploitation of the bug requires abuse of a lesser
but still unknown issue which ensures a favorable heap layout.

I seriously hope noone falls for the trap of releasing exploit code
to "prove" a point. Ignorance is bliss. If you can't write the
exploit, you don't need the exploit. End of story.

With regards,
Mitch
 


--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Well, this thread didn't quite go like I had planned.  ;-)
I did have someone
contact me off-list and say that he had a vulnerable sshd server that was
owned - he wasn't certain that it was this exploit, but he thought it was (=
not
sure why - he didn't say).  I'm working on getting the trace for analysis -
will post if I get it (and it's OK w/ the source).
So it seems to me (ranting aside), that it MIGHT be exploitable, and there
MIGHT be code out there to do it, but my issue remains:  until I see source,
or poc I won't know for sure.
Does anyone who knows for sure feel like contributing?
--=20
aka Dolph Longhorn
attica@...ckheap.org
GPG Key ID: 0xF8F859D0
http://pgp.mit.edu:11371/pks/lookup?search=3D0xF8F859D0&op=3Dindex
"There is no such thing as right and wrong, there's just popular opinion."
-Jeffrey Goines
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/ki3hBJRbvfj4WdARAn8qAJ9ZVE1Xd3c1g1MP7/OvS8lmZMKrTACdGgvx
aB6gM+U61L4OgQkLZ33ywU0=
=wK+C
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ