[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031020031742.A94949@stackheap.org>
From: attica at stackheap.org (S . f . Stover)
Subject: re: openssh exploit code?
On 20 Oct 03 03:28:02AM mitch_hurrison@...lip.com[mitch_hurrison@...lip.com] wrote:
: That's a fine example of the whitehat leech mentality you're
: displaying there. Why do you insist on being so dependent on
: other people's findings?
Not really - just interested in seeing what other people had found. I don't
think that qualifies as "dependence". BTW, I thought "whitehat" implied
non-disclosure, which isn't really the direction I'm coming from.
: You're supposed to be some sort of
: "security" expert no?
I've never made such a claim - on this list or any other.
: Well here's an idea, how about you go
: research the bug yourself and base any conclusions on exploitability
: on that. Instead of begging the people who put in the work
: to disclose their research. What is the added value of anyone
: disclosing an exploit to you?
Actually, I *am* researching the bug myself. I didn't realize that asking the
community for assistance in that research was such a problem. My most
insincere apologies to you.
: A) You know the bug exists.
True.
: B) You know it's probably a good idea to patch it.
Already done. However, the more I know about the bug itself the better I can
learn to assess the patch, as well as further issues.
: So I don't see what the big deal is with it being exploitable
: or not.
Ok - so why bother flaming me?
: The fact that you don't have the skills to independently research and exploit the ossh nul overflow has no bearing on the
: fact that you should patch your openssh daemons.
I don't really think you are really in a position to assess my skills.
Regardless, I do believe that this is precisely the point. I want to learn
more about how this exploit works. If there is working code out there that I
can learn from, why not ask? If people don't want to give up their code -
that is perfectly fine with me.
: So unless you
: plan on owning a bunch of boxen mr. stackheap (!?)
That is definitely not my intent - the people who know me realize this. The
people who don't can hold on to their code. Again, this is OK with me.
: I don't see
: why the likes of you would need any confirmation or even working
: exploit code. Disclosing an exploit would at this stage only
: cause alot of senseless hacking.
I frankly don't give a shit whether you see benefit in this or not. This is a
full-disclosure list. If I want to ask others for help in this area, I feel
that is my right. Conversely, I understand and respect the right of everyone
else out there to either help me or not.
: But to put your mind at ease. Yes it is exploitable.
Ahhh - thank you so much. I will sleep better now knowing that you have eased
my pains of doubt.
: Will you
: get an exploit from me? Hell no.
Fine - all you had to do then was shut the hell up. If you have exploit code
and don't want to give it to me - THAT IS FUCKING FINE WITH ME.
: And I doubt that anyone who
: put in the research time would just give up their work like
: that.
Again, this is their right, and I understand it. I'm glad that you took it
upon yourself to speak for the list though.
: There is absolutely no justification for the public disclosure
: of an exploit for this issue. It's been recognised as a security
: issue and people have been advised to patch.
Who are you to make such a decision?
: Again, putting an
: exploit in the hands of the greedy and clueless is not something
: I would want to be responsible for.
Neither would I - but then again we seem to be in a bit of disagreement as to
whether or not I am "greedy and clueless". <shrug> You've never met me, nor
spoken to me, that I know of, so how can you assess? Besides, it's not like
other exploit code hasn't made it to this list. It is FD after all.
: And I doubt any sensible
: person would release an exploit for this issue. Be it only because
: successfull exploitation of the bug requires abuse of a lesser
: but still unknown issue which ensures a favorable heap layout.
:
: I seriously hope noone falls for the trap of releasing exploit code
: to "prove" a point. Ignorance is bliss. If you can't write the
: exploit, you don't need the exploit. End of story.
I disagree - not everyone is a coding god like you evidently. There are those
of us in the security field with competencies in other areas. This does not
diminish a desire or need to learn new things.
I'm a bit stumped here - I thought FD was FD. But now it's only FD when you
want it to be?
: With regards,
Yeah, right. 8-)
~S
--
aka Dolph Longhorn
attica@...ckheap.org
GPG Key ID: 0xF8F859D0
http://pgp.mit.edu:11371/pks/lookup?search=0xF8F859D0&op=index
"There is no such thing as right and wrong, there's just popular opinion."
-Jeffrey Goines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031020/ed2353e1/attachment.bin
Powered by blists - more mailing lists