Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Ethics ?? : Re: local root on linux 2.2.15

From: gerrie () HIT2000 ORG (Gerrie)
Date: Sun, 11 Jun 2000 04:27:15 +0200

----- Original Message -----
From: "Rogier Wolff" <R.E.Wolff () BITWIZARD NL>


Wojciech Purczynski (wp () elzabsoft pl) found this and wrote a
proof-of-concept exploit. He discussed this with the appropriate
people to make sure fixes were available before he would release
the exploit and the story.

In the mean while, hints about this have leaked, and it seems someone
put all the hints together, and found out what was going on. By now a
fix is available for the Linux kernel, and the workaround in sendmail.


This story isn't complety true.
I've given the Dutch police -department of cybercrime- proof that the
exploit written by Wojciech Purczynski,
was used on the 2 wiped boxes.

I don't know what you mean by 'He discussed this with the appropriate
people' and  '...hints about this have leaked...'
but the 'proof of concept' exploit which he wrote where in the hands of
Dutch scriptkiddies.

I think that there's nothing ethicall about how this bug came to the
surface.
It also isn't true that hints about this where leaked -not to me-, a
reconstruction of facts and 7 hours of disk editten and  the quick analyse
of those facts by Peter van Dijk did the job.

I think that this case is an example why we need international rules, I
don't think it's good to have bug's living there own live, and are
distributed whitin a community where there are people with a clue and real
clueless people -like criminals/scriptkiddies-
.
If cases like this one are becoming more frequently I think that goverments
are going to takie action to prevent zeroday exploits coming in the hands of
the wrong people. (and do we need that/want that ?!?)

I think that every software company/developer who gets information about a
bug, must ask to the founder of that bug, to prevent that it leaks into the
wrong hands.

In my case the damaged it caused was a few thousand dollars, but from the
data I've collected and given to the police, it was a question of time
before the damaged -to others organisations/companies- was millions of
dollars.

By the quick -and in my opinion correct- finding the facts, and inform the
administrators who where targetted (and this community), we have prevented
allot of damage.

In fact the advisory I mailed to bugtraq wasn't complety correct.

Hopefull we hack this problem, someday.

gtx,
Gerrie Mansur
HIT2000
Previous By Date Next
Previous By Thread Next

Current thread: