[9706] in bugtraq
Re: [HERT] Advisory #002 Buffer overflow in lsof
daemon@ATHENA.MIT.EDU (johann sebastian bach)
Sun Feb 21 21:14:52 1999
Date: Fri, 19 Feb 1999 15:33:51 PST
Reply-To: johann sebastian bach <jsb4ch@HOTMAIL.COM>
From: johann sebastian bach <jsb4ch@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
if you are an advocate of computer security, it makes logical sense to
notify the vendor of the program before you notify a sea of potential
exploiters, *regardless* of whether or not the potential exploiters know
of the problem (why blindly assume that they do?).
from the point of view of advocates of computer security, full
disclosure shouldnt be regarded as some sort of golden truth, rather, as
a tool to learn from mistakes made in the past. in accordance, vendors
should be allowed to patch a bug before its existance and exploit code
is plastered all over internet mailing lists (sure, small circles of
hackers may have been exploiting this bug for years, but a small circle
of hackers is a far different problem than the sea of script kiddies who
dont even know how to use unix, but will then have access to the
exploit).
exploit code should not spawn a shell and give full access to the
machine. if exploit coders would only release exploits that write(1,
"hello world".. the root compromises out there would drop by 99%
guaranteed. exploit code should be an EXAMPLE to prove that a bug is
exploitable, not an instant ticket to root access on thousands of hosts
for people who barely know how to use a computer.
i could care less about computer security aside from the fact that i
would like access to as many hosts as possible. i make these points
because many so-called hackers out there think they're fighting for some
golden cause by releasing potent exploit code, or mailing stupid
advisories to bugtraq to claim their fame before even notifying the
coders of the application in question.
>From owner-bugtraq@netspace.org Fri Feb 19 11:15:53 1999
>Received: from netspace.org ([128.148.157.6]:21552 "EHLO netspace.org"
ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id
<83714-1442>; Fri, 19 Feb 1999 13:40:21 -0500
>Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release
1.8d) with
> spool id 992502 for BUGTRAQ@NETSPACE.ORG; Fri, 19 Feb 1999
18:32:26
> +0000
>Approved-By: aleph1@UNDERGROUND.ORG
>Received: from resentment.infonexus.com
(zagzagel@resentment.infonexus.com
> [207.171.209.38]) by netspace.org (8.8.7/8.8.7) with SMTP id
TAA30837
> for <bugtraq@netspace.org>; Thu, 18 Feb 1999 19:47:52 -0500
>Received: (qmail 1802 invoked by uid 1000); 19 Feb 1999 00:46:17 -0000
>X-Mailer: ELM [version 2.4 PL25]
>Content-Type: text
>Message-ID: <19990219004617.24816.qmail@resentment.infonexus.com>
>Date: Thu, 18 Feb 1999 16:46:17 -0800
>Reply-To: route@RESENTMENT.INFONEXUS.COM
>Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
>From: route@RESENTMENT.INFONEXUS.COM
>Subject: Re: [HERT] Advisory #002 Buffer overflow in lsof
>X-To: spaf@CS.PURDUE.EDU
>To: BUGTRAQ@NETSPACE.ORG
>In-Reply-To: <199902181724.MAA15115@dorsai.cs.purdue.edu> from "Gene
Spafford"
> at Feb 18, 99 12:24:52 pm
>
>[Gene Spafford wrote]
>|
>| People who publish bugs/exploits that are not being actively
exploited
>| *before* giving the vendor a chance to fix the flaws are clearly
>| grandstanding. They're part of the problem -- not the solution.
>|
>
> Who is to say the vulnerability in question was NOT being exploited
> prior to release? Odds are it was. Bugtraq is a full-diclosure
list.
> The `problem` as you succinctly put it is in *non-disclosure*.
While
> it is still questionable whether or not the original posters found
the bug
> themselves (the advisory lacked any technical detail) calling them
part of
> the problem is a misfire of your disdain (attacking them on the
content
> of the advisory --or lack thereof-- is a much better call). The
problem,
> in this case, would be the malevolent individual(s) breaking into
your
> machine exploiting this bug (before or after it was disclosed).
>
> Don't shoot the messenger.
>--
>I live a world of paradox... My willingness to destroy is your chance
for
>improvement, my hate is your faith -- my failure is your victory, a
victory
>that won't last.
>
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
