Bugtraq mailing list archives

Re: [HERT] Advisory #002 Buffer overflow in lsof

From: jsb4ch () HOTMAIL COM (johann sebastian bach)
Date: Fri, 19 Feb 1999 15:33:51 PST


if you are an advocate of computer security, it makes logical sense to
notify the vendor of the program before you notify a sea of potential
exploiters, *regardless* of whether or not the potential exploiters know
of the problem (why blindly assume that they do?).

from the point of view of advocates of computer security, full
disclosure shouldnt be regarded as some sort of golden truth, rather, as
a tool to learn from mistakes made in the past.  in accordance, vendors
should be allowed to patch a bug before its existance and exploit code
is plastered all over internet mailing lists (sure, small circles of
hackers may have been exploiting this bug for years, but a small circle
of hackers is a far different problem than the sea of script kiddies who
dont even know how to use unix, but will then have access to the
exploit).

exploit code should not spawn a shell and give full access to the
machine. if exploit coders would only release exploits that write(1,
"hello world".. the root compromises out there would drop by 99%
guaranteed.  exploit code should be an EXAMPLE to prove that a bug is
exploitable, not an instant ticket to root access on thousands of hosts
for people who barely know how to use a computer.

i could care less about computer security aside from the fact that i
would like access to as many hosts as possible.  i make these points
because many so-called hackers out there think they're fighting for some
golden cause by releasing potent exploit code, or mailing stupid
advisories to bugtraq to claim their fame before even notifying the
coders of the application in question.

From owner-bugtraq () netspace org Fri Feb 19 11:15:53 1999
Received: from netspace.org ([128.148.157.6]:21552 "EHLO netspace.org"

ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id
<83714-1442>; Fri, 19 Feb 1999 13:40:21 -0500

Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release

1.8d) with

         spool id 992502 for BUGTRAQ () NETSPACE ORG; Fri, 19 Feb 1999

18:32:26

         +0000
Approved-By: aleph1 () UNDERGROUND ORG
Received: from resentment.infonexus.com

(zagzagel () resentment infonexus com

         [207.171.209.38]) by netspace.org (8.8.7/8.8.7) with SMTP id

TAA30837

         for <bugtraq () netspace org>; Thu, 18 Feb 1999 19:47:52 -0500
Received: (qmail 1802 invoked by uid 1000); 19 Feb 1999 00:46:17 -0000
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text
Message-ID: <19990219004617.24816.qmail () resentment infonexus com>
Date:  Thu, 18 Feb 1999 16:46:17 -0800
Reply-To: route () RESENTMENT INFONEXUS COM
Sender: Bugtraq List <BUGTRAQ () NETSPACE ORG>
From:  route () RESENTMENT INFONEXUS COM
Subject:      Re: [HERT] Advisory #002 Buffer overflow in lsof
X-To:         spaf () CS PURDUE EDU
To:    BUGTRAQ () NETSPACE ORG
In-Reply-To:  <199902181724.MAA15115 () dorsai cs purdue edu> from "Gene

Spafford"

             at Feb 18, 99 12:24:52 pm

[Gene Spafford wrote]
|
| People who publish bugs/exploits that are not being actively

exploited

| *before* giving the vendor a chance to fix the flaws are clearly
| grandstanding.  They're part of the problem -- not the solution.
|

   Who is to say the vulnerability in question was NOT being exploited
   prior to release?  Odds are it was.  Bugtraq is a full-diclosure

list.

   The `problem` as you succinctly put it is in *non-disclosure*.

While

   it is still questionable whether or not the original posters found

the bug

   themselves (the advisory lacked any technical detail) calling them

part of

   the problem is a misfire of your disdain (attacking them on the

content

   of the advisory --or lack thereof-- is a much better call).  The

problem,

   in this case, would be the malevolent individual(s) breaking into

your

   machine exploiting this bug (before or after it was disclosed).

   Don't shoot the messenger.
--
I live a world of paradox... My willingness to destroy is your chance

for

improvement, my hate is your faith -- my failure is your victory, a

victory

that won't last.



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

Re: [HERT] Advisory #002 Buffer overflow in lsof, (continued)
- - - Re: [HERT] Advisory #002 Buffer overflow in lsof Lee Brotzman (Feb 22)
    - NcFTPd remote buffer overflow Julien Nadeau (Feb 23)
  - Re: [HERT] Advisory #002 Buffer overflow in lsof Alan Cox (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Alex Shnitman (Feb 20)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Wichert Akkerman (Feb 21)
    - Possible DOS attack in the .nu domain service Shane Wegner (Feb 20)
    - Severe Security Hole in ARCserve NT agents (fwd) Weld Pond (Feb 21)
    - Administrivia Aleph One (Feb 22)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Friedrichs, Oliver (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Eric Stevens (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof johann sebastian bach (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof der Mouse (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Zhodiac (Feb 21)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Ronny Cook (Feb 21)