lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050701225833.GA7844@jschipper.dynalias.net>
Date: Fri Jul  1 23:58:38 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: Publishing exploit code - what is it good for

On Thu, Jun 30, 2005 at 10:36:57AM -0700, Erick Mechler wrote:
> :: Blackhats may get along with only a handful of exploits, if they're 
> :: willing to try to find targets to match their collection, but a 
> :: pentester should have the collection to match the target.
> :: 
> :: This is doubly true if we're not talking about a dedicated pentester, 
> :: but about a sysadmin with a networking/security background who likes to 
> :: verify that the patches did, indeed, work.
> 
> To that I say let the people producing the patches deliver the exploit code
> as a POC that the patches did, indeed, work.  Releasing exploit code before
> the patch is released helps nobody except the blackhats.
> 
> :: Also, exploits will be distributed, publicly or otherwise - doing it in 
> :: the open means we know what happens when.
> 
> You should, as an admin, assume that once a vulnerability is released, the 
> exploit has been too, whether you see it attached to the vuln announcement 
> or not.
> 
> Cheers - Erick

Dear Erick,

Those are two very valid points.

I agree with you on the first, in general at least (if there's evidence
that the vulnerability is exploited in the wild, and the vendor has made
it clear through action or inaction that no patch is forthcoming, a
publicly posted exploit can serve as a much-needed cattle prod - but
that's a relatively uncommon situation). However, I wasn't talking about
this, and I assume the OP wasn't, either; this is not an argument not to
release exploit code at all.

The second is true; however, it's also true that when there's a
skiddie-friendly exploit out there, you can expect to see a lot more
attacks. Pretty soon. And as pointed out further in the same thread,
exploits function as a much-needed cattle prod for lazy admins too.
And yes, I've needed the prodding a few times, myself.

		Joachim

Powered by blists - more mailing lists