lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: mitch_hurrison at ziplip.com (mitch_hurrison@...lip.com)
Subject: No Subject

Hi Frank,

> Okay, please show us in discussion where it is exploitable. 
> No need for exploit code to feed the script kiddies, 
> just convince me with an analysis.

I think you misinterpreted my argumentation. In my eyes
anyone who is not independently capable of verifying
the exploitability, or atleast devising the theory
behind possible exploitation, of the ossh nul overflow
is a "script kiddie". As you so aptly put it.

Now if you're somewhat at home in heap mismanagement bugs
you should know that this issue, provided you have a
favourable heap layout (hooray for memory leaks), 
is exploitable on atleast 
Linux. That's as far as I'll go. Remember apache? One
man's DoS is another man's remote. For god's sake even
ISS believes the issue to be exploitable. And Duke may
be alot of things, stupid he is not. (ok so maybe that's
up for debate, hi Mark!) As far as the PAM issue goes,
that's fucking trivial.   

Seems to me it's a lose-lose situation. Release the exploit
(and with releasing the exploit I also mean giving full
analysis of exploitability to people such as yourself) 
and people will whine about irresponsible disclosure.
Don't release the exploit and people will whine that they
don't believe it to be exploitable. How long do you think
it will take for some fame seeking info-sec company to
produce exploit code from a public analysis?

My original point remains. There is no need for this exploit
to be disclosed. And I think every ossh admin out there 
should count himself lucky that he's given the time
to mend his servers. But do they use this time? No. They
sit around bitching about not believing it can be exploited
and will only get off their asses when the proverbial shit
hits the fan. Now this behaviour is only fueled by uninformed
openbsd developers trying to save face in calling it "just a dos".

Now at the end of the day it's neither my duty nor my desire
to release anything. I don't owe you shit. And I'm not about
to post something that took alot of research just to make a
moot point. Any admin who did not patch their servers using
"oh it's just a DoS" as justification should be fired on
the spot. Again, and this is getting tiresome, a bug was
recognised to be a security issue. Security issues get a 
priority to patch. It'd be a different story if it wasn't
published as being a security issue. 

So no, it's not my job to prove exploitability to you. It's your
job to get off your ass and prevent me from exploiting you. Ofcourse
that won't secure you from the plethora of bugs remaining in
OpenSSH. Hype is just another form of FUD and people seem to
be buying the Open* FUD without giving it any second thought. 

Pro-active security and all that muck no?

With regards,
Mitch




Powered by blists - more mailing lists