[71206] in North American Network Operators' Group
Re: AV/FW Adoption Sudies
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Jun 10 17:58:28 2004
To: EKR <ekr@rtfm.com>
Cc: Paul G <paul@rusko.us>, "'Nanog'" <nanog@merit.edu>
In-Reply-To: Your message of "Thu, 10 Jun 2004 13:50:47 PDT."
<kj4qpjrvbs.fsf@romeo.rtfm.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 10 Jun 2004 17:56:01 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1418922432P
Content-Type: text/plain; charset=us-ascii
On Thu, 10 Jun 2004 13:50:47 PDT, Eric Rescorla said:
> I'm asking the question:
> If you find some bug in the normal course of your operations
> (i.e. nobody told you where to look) how likely is it that
> someone else has already found it?
>
> And you're asking a question more like:
> Given that you hear about a bug before its release, how likely
> is it that some black hat alredy knows?
>
> I think that the answer to the first question is probably
> "fairly low". I agree that the answer to the second question is
> probably "reasonably high".
Third case: Exploit in one package identified because of info from a similar
exploit against some *other* package....
Back in March 2000, I spotted a rather nasty security bug in
Sendmail (fixed in 8.10.1) when running under AIX or SunOS. Since the problem
is a documented *feature* of the system linker, a *lot* of software had the
problem - and the Sendmail release notes give enough info to make it "game
over". At that point, the 3 big things left were (a) writing a general-case
exploit (trivial if you use one of the another one of the basic design goals of
the AIX linker against itself), (b) creating a shell one-liner to identify
vulnerable programs, and (c) running the script from (b). Of the three, (c)
was actually the most time-consuming.
3 years later, another package (OpenSSH) hit the same hole:
http://www.securityfocus.com/archive/1/320149/2003-04-30/2003-05-06/0
And it was a known issue months before I tripped over it:
http://mail.gnome.org/archives/gtk-devel-list/1999-November/msg00047.html
I'd be most surprised if black hats did *not* have an exploit for the
OpenSSH variant, having been pointed at the issue due to my finding a
similar issue in Sendmail.....
And there's *plenty* of evidence that when a novel attack is found, you see
lots of people posting "So I was bored and decided to see what *else* had the
same sort of bug..." (think "buffer overflow" ;)
--==_Exmh_-1418922432P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAyNjwcC3lWbTT17ARAkWWAKDF+TfM8CAQnV53nLdTo9a3bcXG2QCgl4AM
xLP5QmP7Km27Pd/J9YOqgV4=
=6mFH
-----END PGP SIGNATURE-----
--==_Exmh_-1418922432P--
