lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Dec 2013 01:03:55 -0400
From: Pedro Luis Karrasquillo <>
To: "" <>
Subject: Re: <b>Where are you guys standing re: the (full)
 disclosure question?</b>

Ok. is not accepting Server 2k8 DNS bugs, and I did not find a specific place in TechNet to report either. Felt like going in circles between MS Contact Us page and the 
Maybe you are right, I may lack a certain level of patience... 
Went ahead and started a chat session with MS support. It went like this:

General Info 
Chat start time  Dec 13, 2013 11:34:07 PM EST 
Chat end time  Dec 13, 2013 11:46:23 PM EST 
Duration (actual chatting time)  00:12:15 
Operator  Germaine 
Chat Transcript 
info: Please wait for an agent to respond.  You are currently '1' in the queue.
info: Privacy Statement 
 You are now chatting with 'Germaine'.
Germaine: Thank you for contacting Microsoft Customer Service chat. This chat service is designed to assist you with site navigation, technical support case submission, and customer service questions.  
Germaine: If you need technical support, I can provide you with your support options or help you submit your case to the appropriate support professional who can work with you to resolve your issue. 
Germaine: How may I help you, Pedro?
pedro: are you a human?
Germaine: Yes, I am. How can I help you?
pedro: i want to submit a bug report for Windows Server 2008 R2 DNS server
pedro: it has a flaw
Germaine: You have 2 options:
Germaine: Either you submit it through our Microsoft Technet Forums or
pedro: connect.micro is not accepting bugs for 2008
pedro: and technet has nowhere to submit bugs either. already checked.
pedro: unless it is out of the way.. I am a security researcher. I plan to disclose.
Germaine: Let me check my resources.
Germaine: Reporting a bug, Pedro, can be through U.S. Mail, Support Incident and Product Feedback Tool.
Germaine: For U.S Mail, mail your report to Attn: Development Group , Microsoft Corporation, One Microsoft Way, Redmond, WA 98052.
Germaine: To use Support Incident, if you have a subscription with technical benefits, you may submit a case and our Support Professional will take a look at it.
Germaine: For Product Feedback Tool, you may visi Windows Server 2008 R2 Product Support page and provide a feedback.
Germaine: You may reach our Support professional by following this link: 
Germaine: Submit an Incident - Online Assisted Support
pedro: i do not have a subscription, sorry.
Germaine: Well, you can do the other two options: U.S. Mail & Product Feedback Tool.
pedro: I may have to just publish. I hate to see Windows DNS servers being used for DDoS attacks so easly, you know? With it being an easy fix and all.
pedro: Thank you, Germaine.
Germaine: You're welcome, Pedro.
Germaine: If there's nothing else, I will close this session now.
Germaine: Thank you for using Microsoft Customer Service chat.  
Germaine: Have a good one, Pedro! 
I read all of the responses to this thread so far and I appreciate all your opinions. 
After the chat with MS rep, I feel like disclosing. For one, the bug is not a huge deal, just annoying that your server can be used to help in DDoS someone so easily, and two, MS did not seem interested in bugs for last gen products.
Date: Sat, 14 Dec 2013 02:52:33 +0000
Subject: Re: [Full-disclosure] <b>Where are you guys standing re: the (full) disclosure question?</b>

Q: 1. should I tell MS first?
A: Microsoft is just a big company - there are good guys(my good friend was there), and there are bad guys(who think too much about money, etc). So, it's up to you whether you email secure@ms. Another factor: it can take months for a bug to be fixed(first MSRC checks it, then product team fixes it, then release - all steps take a lot of time). Guninski "give them a few seconds" - if you want to work with Microsoft, you got to be a little patient.

Q: 2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)?
A: No, publishing before fix will not get you into trouble. Guninski "if they sue you" - they won't sue you(Guninski did it before on Microsoft products, and he is fine). 

Q: 3. will this make me a rock star?
A: Ah, this depends on the impact.


On Fri, Dec 13, 2013 at 3:08 PM, Georgi Guninski <> wrote:

On Thu, Dec 12, 2013 at 10:02:55PM -0400, Pedro Luis Karrasquillo wrote:

> Humans, Dwarves, Elves, Fairies and all free folk on this list:


> Meli Kalikimaka.


> I think I found a relatively small bug with Windows Server running DNS with recursion turned off, that still allows the server to be used for DDOS amplification attacks. There are a sizable number of these on the net, and I do not think operators realize that the server is not totally silent with recursion turned off.

> I want to put my findings here on the list, as well as on my blog but I am unsure if :


> 1. should I tell MS first?

if you ask me definitely no.

or at most give them a few seconds.

> 2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)?

if they sue you, I suppose this will make you a star for some time.

IANAL, so take care.

> 3. will this make me a rock star?


> I have details on the bug, as well as remediation steps. I would not say I "discovered" it per se, as I found it while studying an attack on a network I protect, but I do not see it documented anywhere either.


> What say you, Wise List Readers?


> _______________________________________________

> Full-Disclosure - We believe in it.

> Charter:

> Hosted and sponsored by Secunia -


Full-Disclosure - We believe in it.


Hosted and sponsored by Secunia -

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists