[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b581b3220705061727k6479312fh2d5f65d32cde95f4@mail.gmail.com>
Date: Sun, 6 May 2007 20:27:24 -0400
From: "Dave Aitel" <dave.aitel@...il.com>
To: shadown <shadown@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
dailydave@...ts.immunitysec.com
Subject: Re: [Dailydave] Vulnerabilities Hashes DB needed
There's only one company in the whole world that says "buffer overrun" and
that's Microsoft. Everyone else says "buffer overflow" which is more
correct. I blame the Kiwi on Microsoft's insistence on using the wrong word
here. But regardless, unmask.py has a field day on that sort of thing. :>
Anyways, if vendor monopoly disclosure annoys you, stop doing it. Why
aggravate yourself by doing work for other people for free? Life is short.
If all you really want is fame, then sell the bugs to whoever can get you
the most fame fastest. Or just post them to the list. And I don't think we
need a separate hashes list, since dailydave or full disclosure works fine
for that and, importantly, is mirrored all over the place. Alternatively, if
you cc me the free 0day I'll tell everyone the date you sent it to me in a
GPG signed email upon request.
When I was a kid, I played this card game named "Mao" obsessively for a few
weeks in the summer, and then completely forgot about it until today. Mao is
an Uno variant, played silently, and the point of the game is to deduce the
rules of the game - rules which are essentially made up by the dealer or
local culture. It's a fun game. You never see anyone playing it at hacker
conventions, which surprises me. One of the standard rules, which I'll give
away here, is that if you talk, you are penalized by having to draw a card.
Of course, until you can deduce the rules, you end up drawing a lot of
cards.
I guess my point is this: if you deal the cards, you can make the rules.
Otherwise, silence is usually the best option.
-dave
http://en.wikipedia.org/wiki/Mao_(game) (people who have not played Mao and
plan to, should not read the rules, as it ruins the fun)
On 5/6/07, shadown <shadown@...il.com> wrote:
>
> [Moderator: I ask you to accept this mail, so that the comunity may come
> with a solution. Thanks in advance.]
>
> Hi,
>
> During the near past I have to confront some issues when reporting
> vulnerabilities to the vendors, I'm not going to disclose the vendor's names
> because is not the goal of this mail, but to become with a solution. I'm
> asking the researches comunity and whoever can help us to come with the best
> solution. In this mail I'll explain my reasons and what I think is the best
> solution (actually I've borow the idea from others) and ask the comunity if
> someone thinks that is a better one.
>
> Reasons:
> --------------
>
> 1- I've contacted with some vendor and after getting the right security
> contact to send the vulnerabilities I've sent the pgped PoC files. Then the
> vendor didn't come any more to me. After a month I've contacted the vendor
> again, the vendor said: 'oh, I didn't receive the mail'. I've resent the
> mail and the vendor replayed: 'I've tryed the PoC files and none of them
> worked, probably our internal testing team found them'. After receiving that
> answer from the vendor I've downloaded the software again and the
> vulnerabilities were fixed. I did a binary diffing to analyze OLD vs. NEW
> version and extraordinary...the bug I've reported + two other bugs where
> fixed, what was a bit suspicious. I've ask about this to the vendor and the
> vendor replayed the following:
>
> """
> It's hard to imagine that the respective fix would be directly related to
> your files because we haven't had them. Don't get me wrong, we have no
> problem crediting anyone who reports bugs to us, helping us to improve our
>
> software (just as we did e.g. in the case of version XXXXX where we
> credited XXX YYYY - see
> http://www. linktothecredit <http://www.linktothecredit/> ) but I
> don't think this applies here, really...
>
> Sorry - maybe you can find some other overruns in the current build? (or,
> even better, in the build that's coming out in about a week - because that
>
> one has some new fixes in it, too [so it's theoretically possible you'd
> hit
> something that has already been fixed, too]).
> """
>
> This was the case with one vendor, and pretty similar situation with
> others. (ofcourse there were excelent comunication with some other vendors,
> but is out of the scope of the solution that I want to come with.)
> 2- There are some vendors that are really dificult to deal with. It took
> me about 4 months to get the right contact to report the bugs, and this
> would be another think to think about, A public 'Vendor's Vulnerability
> Reporting Contact DB/List'.
>
> As I do believe in responsible disclosure, I don't agree with 'giving up
> and launchin 0days' so that vendors eat their s**t, the following is what I
> think is the best solution for it.
>
> Solution:
> -------------
>
> First of all: I've taken this idea from matasano and Halvar, that were the
> ones I've seen that did this in the past.
> The main mailling list should create a 'Vulnerabilities Hashes mailing
> list' where the researches comunity can send the hashes of the PoC files
> just before they conctact the vendors. That way if the vendors do not give
> the proper credits to the researchers, at least the researches will have
> another proof to show that they were the ones that reported the
> vulnerabilities, and not just the mails they've crossed with the vendors.
>
> Final Comments:
> -------------------------
>
> I'm pretty sure that a lot of researches has this kind of problems in the
> past and this is really frustrating.
>
> *** I don't want this mail to end up being a: "Oh, yes, I have this
> problem with xxx", and so. Please don't do that because is NOT the goal of
> this mail. Just bring your ideas to improve this and to make this
> 'Vulnerability Hashes mailling list' to happen. ***
>
> The following is are the MD5, SHA-1 and SHA-256 hashes of the
> vulnerabilities that I'll be reporting to the vendors after sending and
> seeing the post in the mailling list. This is a verdors based hashes,
> because probably in some cases the PoC files behind this hashes may affect
> other vendors, but as I didn't try with other vendors I don't deserve the
> credits for the vendors that I didn't spot vulnerabilities, if other
> researcher finds the same bugs in other vendors, they are the ones that
> deserve the credits for that.
>
>
> AnhLab V3:
> ----------
>
> 65d9c1f2a9f3e7cf90e814ad27c7868b
> bf6460b08b07b9fdfc90e243e8c72b326b4070f4
> e766ac5bedb1144a8bb0426382aec5b58d9fcbf2ac560c321e474f57124c322b
>
> Avira Antivir:
> --------------
>
> 6be69d215a9abee4c5966243fbd074a2
> 34ad8cd7fd38a8c6af9d6e13bd2bbe72806ceee4
> 1094efa900cd1b0bcacbd38fa6ebee65bace529227512d25cdeede4dadbaef7b
>
> 770206b8b023069913315bc0ad15fa7f
> a1c5a301e1898e5749eb8bdb477f7ff786142a6d
> ecc1a63d3c7e1c21a6d92d8b5d7889038861bf09f43c5ab81d84ff6f3a9c166c
>
> cd180ca57fccb2611eded02789830803
> 25d610387e7a7c2a372e8cc612b495c3145e9768
> 6d4ddde75ecaddd0780420485d4a973cb1d9ba0df2c1fef15ca8a1a29d67f640
>
> c40a37cd215c7cca64310984b6b7a848
> 4c09a09683328f4a0a56f4ca523b5d25e4a9f618
> dbb89a4f297a050df445cb8a0e81b5753f32a4fe0d8b40f648572152215977da
>
> 76105c8caf97785c9fa330481b13713d
> 0ee01fa4ab0f9a3504201ce02a4c53547a8efbb4
> eae7a347cbd805bce87ca8303d4de98729034228a1a94b999c01bb132f4738f2
>
> AntivirusKit:
> -------------
>
> f308330ddc4fe26c0458a148f9594759
> 36a5feb922e8163be67a85018294d9e179cbcec7
> 6da70b2be86525ae5fc654cc293a44437ee6ca912668eff7501ef529a5be4196
>
> f9a42de55118798f2920a2b1072c8444
> f62f63ac4aee1295cbf7a636e13e5cba7f6474a5
> 8d8be8e6bd765c8822696d2af58f53f386987129c7ceca43f051f026d4073a7a
>
> 56865f1768d2a646ce0e9e8d436ec67b
> 0dfcb3a5c004665821f58afe3ddc7aca52411919
> fd66434954edd4e07265660a37be5737e08414b033901905e5e535a4431aee7b
>
> 6511e2fdc0f721a47c4e8a1d626108f2
> 9fc5010703bcccdab67f4c61b2144f06c1ed6679
> 0c42ceba2e181cc943a330ea7d9e9ed7b05cb2602b50c10693ab3515d0d3776c
>
> e2927d23417de42c00f6570179fa0ab4
> 5a654b60b4e5d7b971393993bf74bff6b7babf4c
> a0b47cb536e58f060fd193e44cad1c282964bf02d743eeb375496d96e9852492
>
> e29cf7b7613bfdbb9a0c1b4114527251
> 712e1835f88a75b50b902b5aeb8c63199d634da8
> 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27
>
> 99558b6186c3af5415dac0488b0f4a0d
> fb6504beb4934e9c4656121d0efd224b3e12da04
> b339d6e1ea6d76a297b691b989a650c47392d063a7ee8394ac3a104e831cd97b
>
> 136eeda72cff4ce605424dd4566b5c5b
> d79e8ece11468fffadd9ce0f24d6904544882979
> 2fb06f226571cb9f097d2ebcdef89898d70033bdd092233fea048fb345d318ad
>
> a8f265a5d767f40a942a93be4ace83f4
> 1aee982c67d3557dcb77989c36ff4c35115eb8c7
> 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732
>
> Avast Antivirus:
> ----------------
>
> 24b53bacfa2f6aeba6226466d6a96758
> 7bccb6233ae8356928f49ece594af2ec05654ec7
> e07652d14834e267a661892a240be7185035942224c9386e68cbdeb1e636369a
>
> df88c0d9489a877eca251f6977f07d0b
> dca5faa757d3a7d72bf37873db8dae7e0f002cd1
> 65271e3d3a5e4f70f337b19b661f8ed5521777715c3c7223c5bde05f5ab826b9
>
> 649666668e1f0a219c0bd9619aff5d91
> 839c714d4b28bf903c6ccd0b1b7a6fdf5c46c01a
> 41c263ea1ce75411792f5853c8c02bf1ccf06708f09cd874490ef11623b85d55
>
> 0f16d47de15ebbcd30ecad2b3ba9aea2
> 51f859523e3d1d7eb8549ac27bc0ce292dfb940d
> 54806f6d3c6d193ea874057bc1d04e403c99c51fcf46dacbf3fdffc8a7033244
>
> f1f4ac1d188c020f8e9a651555279227
> dd2cd2fafe3d98b099a7504bd94089c1deec680a
> cb5e46bb6abe10a8bc35dbb24991770f6433d7b5981998604164bb43ec2676bc
>
> 4696e1bb5e73620c6e715d9c727ac7f6
> a240b8bdd748a15ef6e451e4a327258367e7c07c
> 2181db5345a3d04c83cbf5ca8442fecfeb1f3825ec0a7516f07eaebd03ee234a
>
> 40a82d15fcb2cd982fde52b5d90e7d49
> b5248dd45ff405a0c75e7771c25ce1d8cdc2dfd2
> cdedcb945de7855b9ff791ce1d0dff0bacccd715eaf61942676b4153f9783cda
>
> df519bca64476f0f7e0a973c31e0828a
> b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68
> 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3
>
> 193a39e6e57c5fe1e673cd60fc9f838d
> d2bdb2e33a3c0922918d0badbec70d830228586c
> dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f
>
> 835899502d90cf4a435aa4392b2b03f4
> ec81ee8d7239a89346e1e17ad4f018da180d5310
> b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22
>
> 2ec5e7d881bd4792fe63992a052aa054
> 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc
> bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1
>
> df519bca64476f0f7e0a973c31e0828a
> b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68
> 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3
>
> 193a39e6e57c5fe1e673cd60fc9f838d
> d2bdb2e33a3c0922918d0badbec70d830228586c
> dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f
>
> 835899502d90cf4a435aa4392b2b03f4
> ec81ee8d7239a89346e1e17ad4f018da180d5310
> b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22
>
> 2ec5e7d881bd4792fe63992a052aa054
> 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc
> bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1
>
> 7f1dfbef6cbb128480a89c518ef5e7b6
> 86dfabefece6ced61521cca7a8d573214bacc61d
> abf0a439abadd50cf7871e14f7b0fecf6d24b0257679e186b4a8cfa5c95db26f
>
> 2c799b6dd1a95ac3f7ae9cb6550145ef
> e509214a69108485821a370d48a22ae519feda42
> fc204ac5f18b04a36570273035300004d16ab38b990e7c699743f4bbe1c8cd73
>
> 8505d6f3bb638c47a51c1e954945219d
> 0923321102a3a6ef606a54ea6375118e5003e7d2
> f5103f808ba9e227ebf8f16f361a1710f6f083757d56d40a2c6dcd64f4578499
>
> Grisoft AVG:
> ------------
>
> 7ed40b565903c3788157f1b7facd3e8c
> d95141a18c0d49e3ef4da4ae4164460c04df571a
> 018f888c8f9a280c2a546d70646cfdfb002127f786777036190227f82438e99f
>
> 4cf5ea82eeb3526584bbc0e648859f28
> 4872d5a93ce3caafd2398b948a17c535fe1c178d
> fc528e338ff779041cd7d43d5175461cbec51476bc83bab993930c894b4ab27f
>
> 3f30645d19a29120e3ed6667023f9b26
> d8e468bb9b6d224e322a08e6b813d9a891a7a37c
> e88ad4becf6ba0917e9187b7dcc907e2f0d1789e71dd8328f455662405afcacc
>
> 9723df4678b88056e18727fadfc523f5
> 21823e87f72ae6268f67f27dda6e1fd97162baa0
> 22c7987f4c9f0ae996e322547afd8f70dd0c1e579bebd9505d1d8106c6a8c47f
>
> CA eTrust:
> ----------
>
> b1ad7836c4c5f13acd39a7554cb4a74c
> b21fdf4ac22cb040ceb060a5ce9369344a012ea5
> 3c39bf686d8cfa8d5901c10b6faff8e15f53eb5a7b09226893c5ec0add63e819
>
> bb41ecd6340ddadf1b342569f545e0b3
> 38405393b9145bf92c3ce2b9f887bbb200578c15
> cc933471d8a8c1ff2216209b5063b5ebc77e86846d0b5d4809763af1277fcf93
>
> 830b9443c1d9a2c3a3c22a61e141ff67
> a5eb5a4bfab519db6db1270dda12a3eed36e99e6
> ef3a5733a48728564781c3d5d7bf364f7c6b8c2dc9f62fbf7abd07c361e1078b
>
> e29cf7b7613bfdbb9a0c1b4114527251
> 712e1835f88a75b50b902b5aeb8c63199d634da8
> 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27
>
> F-Secure Antivirus:
> -------------------
>
> 8029afc917c99b76211376677bec7025
> 0e8b7674771c1cbd8860f73b1ce53aa88720c7d3
> 107b3efdeab6e622cc164c4cdde5366ca1d4aac7e263217e0b41c7dcbff3b025
>
> 2c4c3f6b89c7c395842b41a697cad411
> b7d769358b594770d392bd57cbc9e56ece99b422
> 548b4b246be5ed4cf962d556c20c96c35994269f06b5ddedd7aa7e7248e9e250
>
> 657d39f36ac3f09f46ec30ed25a66a48
> 3ca8a75f157cecb89ab8a9cf29b5589536428d50
> 1fd43a88cf07ef8f5f1f35f656fbb08b2d16ad273363e88fa2efe4a056937f4a
>
> d27a2fb4a40b785e25a450bb3acfd793
> 6b1d6d0754711ff5bafd84b1ed5a9ceeb88f3a53
> e50e14059f17895efcfb7f60ff0be061cf49fa4a288c63ec494991555667da32
>
> McAfee VirusScan:
> -----------------
>
> a8f265a5d767f40a942a93be4ace83f4
> 1aee982c67d3557dcb77989c36ff4c35115eb8c7
> 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732
>
> ee44ef6cf5cb0a8debae2adf18a33579
> a4a386f2b911b7bb9fc3572935032bb56c9a5d85
> c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b
>
> ee44ef6cf5cb0a8debae2adf18a33579
> a4a386f2b911b7bb9fc3572935032bb56c9a5d85
> c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b
>
> 3fb13db5928235fce3f6e65aa7ea4e86
> 83f6ef1b222ad55fd87967e3089f554a33ae5a06
> be927665d2d44f0958b7c8070ea4cc77444cdfe3ada3d8398dd1cb8f6b9f6192
>
> a8f265a5d767f40a942a93be4ace83f4
> 1aee982c67d3557dcb77989c36ff4c35115eb8c7
> 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732
>
> ESET NOD32:
> -----------
>
> cfd37b81fd0dbc62653032a4166173ff
> 3c69c0e8979237bf4af66f4b93a7ada0d0d81211
> e8853ba6967db030d54805899525ba20fb03c4b4786e1c1b97f1666e316052e3
>
> 440c492b01a8fb46a28d210345c180ed
> d0db253944fdc24f81df3cd0c1fb63c1a700e240
> 8a3a6be38a55a341b2bba13bb4af453ca408edc29f1ee1f3f091e921250d28f1
>
> 02dc846a5388b9c3b6021208761e6f5a
> 600420f8f3c7d438533817d64e0bef92462a614e
> 5ad94d4d445d48f1ef5d87d492e0213c7af20bebb053621418375c09412d8e4a
>
> b6f1955690dcfc804fae032216507430
> 65cf6c31c4c103c296c937520964d6dd7442d86f
> f2401d9d3a5c3be0b9eec88eacf493ad6d83942ce0f566129cba929e398efc59
>
> c52853d1d0ada84dd432aff2eacea04e
> 1f11427a3c5620dff36ef4056901bd3e1a209eeb
> d51bbacd4b2b540266b793ee2735d729844c0476a648d3dd7fc683d6eef13db4
>
> 0107600c8612ff2ad4f22865768d407c
> 845391b0311305dadbed0aa41c2028e65516bfc1
> 40eb114d0b472d35850fcdde4bba6bdf36f067ba55a7c2df67d65dcaa4592dec
>
> Norman Antivirus:
> -----------------
>
> fc7743cda0033f81d5c7d969542ea33b
> 0e4ffac982168a0aa73f529d830dc656a747a6dc
> ca371fd64625efb50a0f3bb403bd922fc7081fc8966df7b0fd40b40586624188
>
> a9bd4536a1966c0dde8ba718c658e854
> f4adb4bfac96954a93c8e9d001630540af4a3fea
> 32caf66cd837949bfff32d4c2365cb3519d908e56dd3684e8ddc107ba25cc873
>
> d5d020485df8ead5192042da9f32bb0d
> 95ead5b4fe26e5dff98a7fa95168f41713878f4c
> e6a19e24893ad87a7c0c299f35fc2010af5a7a4a926e0fa5113946cb80dc1ea5
>
> b9a8a5063abf31f53f6f7d2e35a8f7ee
> 3640d55abbd155ea22a2a68f9d15f27e5307a048
> 7cc06d3d8ceb341d6735c57c42288b067605a1fdeb8753729e4dddd0b435ad64
>
> 5397061f4268bdcc106ada8724d2cc21
> 3ddd04f4d4c2a1b2e91630ea909b74e9f8607554
> 9a9eec3f5fa24f1ccf7cf47effc0a5d1f5dad12e22b61c8e4a6552dc4345a4c1
>
> 13fc7553b8e2979942a95f6ff6f16f20
> d74a4f36bead45008d826b3e2b5d9959a2394226
> 769ca66067e3fedff804f454a0b5a9d54dbf85f140de43b8c115f3f0bcdaf74a
>
> 40aefe65ef2371df256a5a17be5c08a2
> dfc4110d62cb9a36f27b2269f3adfa1cee0ee190
> 17ff4d9f7dd44101544023dcd6554c2280f0cf2c779cb7a1f26717467eea25c7
>
> 7d9f52171e286d022e8c2605cab69db7
> a2f3ef73dd41348131a4fc83bb269552c50e8a24
> 91c53eed8ab2e06e46d7e2d2f5fecfa65d29ec4cf9832b3b1690b724a25b10bf
>
> Symantec Norton Antivirus:
> --------------------------
>
> 05ee29971ad88e895fe3fbb2a931cb64
> 344724a09b87ebb0901b4a110855840440b5dd35
> 40494ee480bd1eb946a82d87cdbbad2a55471942b513c7986f1ef07a6a860de8
>
> 5aa3942cfb2854ace70434ffbbaf83ad
> 3b07b9cdbce21fa7c018ffe49ec3e4fb26898e7a
> d9b0d079ee5d79d4791aed1465cf2b5cb69e953bfee6b39a51727bab6bfe0562
>
> Panda Antivirus:
> ----------------
>
> c1ef9b02aa230410db5384b60c43737f
> 6cdbec98c6b2dae754c835cddfd7510a27d6971d
> c7d9e6b1b1a6a99d15bdbc199584a82629b8c2696e052835832c9cdba6575827
>
> a086d36416b40da2556f708ec7839091
> 4dd0d6efea6335af8b49e76a8629cd575f56917a
> 9051df4e9eca261e051097a877aa68c3de568e85e24eb70c4424693018f9cbdb
>
> fb2b41a7c8a25c835052ec788250c285
> 2583a038e47e85a9669f8bb944ccffcf11c21518
> eeb614054a4cc99bb4aa3ac4b5f09f74c630a56ca7931a10b54a8f678eb59e67
>
> Sophos Antivirus:
> -----------------
>
> ac07ed7520c4ff1ae93be01c2dc0a91b
> 69f941d81f8ed9d2a21ff7421d8f658b8bdef67a
> 60471004837929f83c0cd5fa58c51505d0182891b656216b67d2ffa3792371ac
>
> e51333b8106e0cdc7c28e1d360470933
> d3ea44047fde6792e0d451404133dfe37c2701ae
> 8363eb9f3db54839e10edbb5b0f0214425f42a5a67fa7a7f572d161dc6fe4ecb
>
> 1e33c49f7c86d23217f46927d17fcf84
> 75491f057ef1f7b69ef5431bf1a61ad0ff5765e8
> 68d66831aab022bac9e96e23ba8e1a55b49c392ed54fab9efe0f95d64ddb747c
> Cheers,
> Sergio
>
> --
> Sergio Alvarez
> Security, Research & Development
> IT Security Consultant
> email: shadown@...il.com
>
> This message is confidential. It may also contain information that is
> privileged or otherwise legally exempt from disclosure. If you have received
> it by mistake please let us know by e-mail immediately and delete it from
> your system; should also not copy the message nor disclose its contents to
> anyone. Many thanks.
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@...ts.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists