lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: attica at stackheap.org (S . f . Stover)
Subject: re: openssh exploit code?

On 20 Oct 03 03:28:02AM mitch_hurrison@...lip.com[mitch_hurrison@...lip.com] wrote:
: That's a fine example of the whitehat leech mentality you're
: displaying there. Why do you insist on being so dependent on
: other people's findings?

Not really - just interested in seeing what other people had found.  I don't
think that qualifies as "dependence".  BTW, I thought "whitehat" implied
non-disclosure, which isn't really the direction I'm coming from.

: You're supposed to be some sort of
: "security" expert no?

I've never made such a claim - on this list or any other.

: Well here's an idea, how about you go
: research the bug yourself and base any conclusions on exploitability
: on that. Instead of begging the people who put in the work
: to disclose their research. What is the added value of anyone
: disclosing an exploit to you? 

Actually, I *am* researching the bug myself.  I didn't realize that asking the
community for assistance in that research was such a problem.  My most
insincere apologies to you.

: A) You know the bug exists. 

True.

: B) You know it's probably a good idea to patch it. 

Already done.  However, the more I know about the bug itself the better I can
learn to assess the patch, as well as further issues.

: So I don't see what the big deal is with it being exploitable
: or not.

Ok - so why bother flaming me?

: The fact that you don't have the skills to independently research and exploit the ossh nul overflow has no bearing on the
: fact that you should patch your openssh daemons.

I don't really think you are really in a position to assess my skills.
Regardless, I do believe that this is precisely the point.  I want to learn
more about how this exploit works.  If there is working code out there that I
can learn from, why not ask?  If people don't want to give up their code -
that is perfectly fine with me.

: So unless you
: plan on owning a bunch of boxen mr. stackheap (!?)

That is definitely not my intent - the people who know me realize this.  The
people who don't can hold on to their code.  Again, this is OK with me.

: I don't see
: why the likes of you would need any confirmation or even working
: exploit code. Disclosing an exploit would at this stage only
: cause alot of senseless hacking. 

I frankly don't give a shit whether you see benefit in this or not.  This is a
full-disclosure list.  If I want to ask others for help in this area, I feel
that is my right.  Conversely, I understand and respect the right of everyone
else out there to either help me or not.

: But to put your mind at ease. Yes it is exploitable.

Ahhh - thank you so much.  I will sleep better now knowing that you have eased
my pains of doubt.

: Will you
: get an exploit from me? Hell no.

Fine - all you had to do then was shut the hell up.  If you have exploit code
and don't want to give it to me - THAT IS FUCKING FINE WITH ME.

: And I doubt that anyone who
: put in the research time would just give up their work like
: that.

Again, this is their right, and I understand it.  I'm glad that you took it
upon yourself to speak for the list though.

: There is absolutely no justification for the public disclosure
: of an exploit for this issue. It's been recognised as a security
: issue and people have been advised to patch.

Who are you to make such a decision?

: Again, putting an
: exploit in the hands of the greedy and clueless is not something
: I would want to be responsible for.

Neither would I - but then again we seem to be in a bit of disagreement as to
whether or not I am "greedy and clueless".  <shrug> You've never met me, nor
spoken to me, that I know of, so how can you assess?  Besides, it's not like
other exploit code hasn't made it to this list.  It is FD after all.

: And I doubt any sensible
: person would release an exploit for this issue. Be it only because
: successfull exploitation of the bug requires abuse of a lesser
: but still unknown issue which ensures a favorable heap layout.
: 
: I seriously hope noone falls for the trap of releasing exploit code
: to "prove" a point. Ignorance is bliss. If you can't write the
: exploit, you don't need the exploit. End of story.

I disagree - not everyone is a coding god like you evidently.  There are those
of us in the security field with competencies in other areas.  This does not
diminish a desire or need to learn new things.

I'm a bit stumped here - I thought FD was FD.  But now it's only FD when you
want it to be?

: With regards,

Yeah, right. 8-)


~S


-- 

aka Dolph Longhorn
attica@...ckheap.org
GPG Key ID: 0xF8F859D0
http://pgp.mit.edu:11371/pks/lookup?search=0xF8F859D0&op=index

"There is no such thing as right and wrong, there's just popular opinion."
-Jeffrey Goines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031020/ed2353e1/attachment.bin

Powered by blists - more mailing lists