RE: [Full-Disclosure] No Subject (re: openssh exploit code?)

From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 10/21/03

  • Next message: Sintelli SINTRAQ: "[Full-Disclosure] SQL Injection Vulnerability in FuzzyMonkey MyClassifieds SQL Version" 
    Date: Tue, 21 Oct 2003 10:08:39 -0500

    > -----Original Message-----
    > From: mitch_hurrison@ziplip.com [mailto:mitch_hurrison@ziplip.com]
    > Sent: Tuesday, October 21, 2003 2:23 AM
    > To: Schmehl, Paul L
    > Cc: full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
    >
    > Again, what is it about your personality that makes you
    > incapable of taking part in an adult discussion of
    > responsible disclosure issues? Is it that anyone who has a
    > different opinion than yours is automatically not worth your
    > time? That sounds kind of nazi-like to me mr. Schmehl.

    Oops! Godwin alert!

    Mitch, I've taken part in quite a few adult discussions. In this one I
    deliberately choose to mirror your behavior on the list. I know you
    won't see that or agree with it, but others will. You come across as an
    arrogant, condescending jerk who thinks they're superior to 99.99% of
    the people on this list. How do you think people should react to that?
    By cheering you?

    If you're such a great coder that you can figure out exploits when no
    one else can, yet you're unwilling to share even the *theory* behind
    them to this list, then why do you bother posting about it? Logically,
    the only reason can be to inflate your own image and ego. It's like the
    little kid who taunts the others at school because he knows something
    that they don't.
    >
    > It's quite saddening to see this list turn into a pack of
    > hungry saliving fools at even a hint of an exploit for this
    > issue. You seem to have more of a hardon for the "juarez"
    > than any "kiddie" I've ever met. Even when trying to debate
    > some of the issues surrounding the disclosure of such a
    > potentially devastating exploit all one gets is "yeah, yeah.
    > Now make with the warez".
    >
    I can't speak for others, but I really could care less about the
    exploit. That's not where my interests lie. Coding bores me, and I
    only do it when I have to, to solve a problem. "Slaving away" over
    code, as security snot whined about, is not my idea of time well spent.
    I also don't have any aspirations at mastering quantum physics, but I
    *do* expect the physicists to treat me with the same respect with which
    I treat them.

    If you don't like being treated like a jerk, then don't act like one.
       
    > As far as it being "easy" to exploit. No it isn't. You have
    > to abuse a lesser issue, a memory leak to be more precise, to
    > get a heap layout that will allow you to survive the initial
    > memset without landing in bad memory. Now without going into
    > details anyone who manages to survive the initial memset
    > should be able to debug the crash to the point of
    > exploitation. This is managable on atleast Linux IA32 systems.
    >
    Now this is useful information, which you *could* have shared a long
    time ago, sans attitude.

    > Now I'll try and bring my original point forward one last
    > time, allthough I fear it will just call for more immature
    > commentary from the likes of Paul Schmehl.
    >
    > There is no need for anyone to release this exploit. It will
    > change nothing about the fact that you need to upgrade your
    > daemons. It will change nothing about the bugdetails already
    > published. There is no reasoning for it other than "but I
    > want to learn how to do it".

    This is where you go off the track. You clearly don't understand how
    networks and infrastructures work. As others have already pointed out
    to you, *some* systems can't be taken offline "just" to patch a
    *possible* exploit. Yeah, I know that there's a group of folks that
    freak out when they hear that. But in the real world, decisions about
    taking critical systems down are based on a *number* of factors, not
    *just* on whether or not a patch has been released. So, when people cry
    "It's exploitable" but no clear explanation of why is forthcoming,
    admins tend to discount the claims, chalking them up to more FUD. After
    all, there are guys (like security snot did) who will claim they "0wn"
    you all day long. Where's the proof? Talk is cheap.

    You don't have to release any code to explain the problem. You can
    write a paper, like Aleph did in "Smashing the Stack....", which
    explains the *theory* behind the problem without providing any usuable
    code for "kiddies". Or you can provide some details of the theory, as
    you have above, that will point others in the right direction.

    > And sorry but that's just not
    > good enough to warrant the mayhem that will ensue when an
    > exploit like this is released. So if you in your academic
    > pursuits decide to tackle this problem. By all means go right
    > ahead. But I think anyone who's discovered the real impact of
    > this bug will realise that disclosing the exploit to the
    > general public is highly irresponsible.
    >
    This, of course, flies in the face of the entire purpose of this list,
    but I'll leave that argument to others.
    >
    > So instead of trying to poke fun at me Paul, why don't you do
    > your duty as a knight of Full Disclosure and provide the good
    > people of this list with a definite analysis on the ossh 32k
    > nul heap munging? (buzzword quota filled).
    >
    Oh, I'm not poking fun at you at all, Mitch. I'm mirroring your
    attitude and behavior on the list. I hope you will see that, but who
    knows.
    >
    > There is simply no need for exploits, especially not one that
    > would affect people and nations around the globe. You have to
    > look beyond your own little egocentric world of friendly
    > exploit dev and "but it's fun", and take a look at the bigger
    > picture.
    >
    Again, you miss the point entirely. The folks that have asked you for
    more information are not looking for "fun". They are trying to make
    real life decisions about taking down critical systems for **unscheduled
    downtime** to patch them. You fail to understand that many admins can't
    simply take a system down because Mitch says they should. They need
    solid arguments to take to their bosses to explain why this particular
    system needs to be downed *today* rather than waiting for a regularly
    scheduled maintenance window. When a worm comes out, it's a no brainer.
    (But even then sometimes the bosses don't believe you until they've been
    burned at least once.) But admins can't take systems down every time
    someone cries "Patch now! This is exploitable!"

    I personally would prefer that every system gets patched the day the
    patch is released. The reality is that it just doesn't happen that way.
    When a professor is in the middle of a major experiment and you tell him
    you have to take his system down *now*, what do you think his reaction
    is going to be? If he's running a four day simulation, and you asking
    him on day three, you aren't going to get a positive reaction. There's
    a lot more to taking systems offline to patch them than the word of
    someone on this list.

    Try to think outside your own small box.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Sintelli SINTRAQ: "[Full-Disclosure] SQL Injection Vulnerability in FuzzyMonkey MyClassifieds SQL Version"

    Relevant Pages
    • Quantcast