Bugtraq mailing list archives
Ethics ?? : Re: local root on linux 2.2.15
From: gerrie () HIT2000 ORG (Gerrie)
Date: Sun, 11 Jun 2000 04:27:15 +0200
----- Original Message ----- From: "Rogier Wolff" <R.E.Wolff () BITWIZARD NL>
Wojciech Purczynski (wp () elzabsoft pl) found this and wrote a proof-of-concept exploit. He discussed this with the appropriate people to make sure fixes were available before he would release the exploit and the story. In the mean while, hints about this have leaked, and it seems someone put all the hints together, and found out what was going on. By now a fix is available for the Linux kernel, and the workaround in sendmail.
This story isn't complety true. I've given the Dutch police -department of cybercrime- proof that the exploit written by Wojciech Purczynski, was used on the 2 wiped boxes. I don't know what you mean by 'He discussed this with the appropriate people' and '...hints about this have leaked...' but the 'proof of concept' exploit which he wrote where in the hands of Dutch scriptkiddies. I think that there's nothing ethicall about how this bug came to the surface. It also isn't true that hints about this where leaked -not to me-, a reconstruction of facts and 7 hours of disk editten and the quick analyse of those facts by Peter van Dijk did the job. I think that this case is an example why we need international rules, I don't think it's good to have bug's living there own live, and are distributed whitin a community where there are people with a clue and real clueless people -like criminals/scriptkiddies- . If cases like this one are becoming more frequently I think that goverments are going to takie action to prevent zeroday exploits coming in the hands of the wrong people. (and do we need that/want that ?!?) I think that every software company/developer who gets information about a bug, must ask to the founder of that bug, to prevent that it leaks into the wrong hands. In my case the damaged it caused was a few thousand dollars, but from the data I've collected and given to the police, it was a question of time before the damaged -to others organisations/companies- was millions of dollars. By the quick -and in my opinion correct- finding the facts, and inform the administrators who where targetted (and this community), we have prevented allot of damage. In fact the advisory I mailed to bugtraq wasn't complety correct. Hopefull we hack this problem, someday. gtx, Gerrie Mansur HIT2000
Current thread:
- OpenSSH's UseLogin option allows remote access with root privilege., (continued)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
- SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
- Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
- Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
- Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
- Call For Participation - Raid 2000 Herve Debar (Jun 16)
- Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)
- Re: Veritas Volume Manager 3.0.x hole Louis-Philippe Reid (Jun 16)