[Full-Disclosure] remote kernel exploits?

From: Blake Frantz (blake@mc.net)
Date: 09/18/02

From: blake@mc.net (Blake Frantz)
Date: Wed, 18 Sep 2002 10:00:50 -0500

>- - I have not seen any incident reports on Incidents, or any other
mailing list for that matter.
>- - You'd think several high profile sites would've been attacked
already with such devastating exploits, but
>I've seen no reports of this. In fact, if the kids really did have such
an exploit, you'd think they'd tag
>their h4ndl3z all over high profile sites. But according to Alldas,
high profile defacements have been
>virtually nonexistent in the last year or so.
>- - Given the skill required to craft such an exploit, I'd think it
would be way out of the grasp of the kids. >Since no researcher has come
forth with such a vulnerability, it's logical to conclude that this does

I'll begin by saying that I am not confirming or denying such an exploit
exists, simply playing devil's advocate.

As you mention in your 3rd point, the skill required to discover and
develop a working exploit for such a vulnerability is far greater than
the skill level of a script kiddy. With that in mind, wouldn't it be
safe to make the assumption that the people (hypothetically) using this
exploit are equally skilled in hiding their presence on the machine?
Furthermore, what type of 'incident' would be reported? Interface
problems? A web defacement? I woefully disagree that the person(s) who
developed an exploit of this magnitude are going to use it to deface
websites. Web defacements are generally the acts of RDS abusing script
kiddies, whom you yourself stated would not be the source of this
exploit. IMHO, suggesting that an person of this technical caliber
would use their skill to deface websites for pure lime light is like
suggesting a world class brain surgeon would expect a Nobel prize for
applying a butterfly bandage. Additionally, script kiddies generally do
not understand the legal ramification of defacing 'high profile'
websites that have the bankroll to litigate. It's been my experience
that people of the skill level required to develop such an exploit are
very aware of possible consequences. If such an exploit exists, I would
expect exactly what is happening now. Nothing but speculation possibly
derived from someone leaking info.

In short, you can not conclude that something does not exist simply
because you have not found it.