Re: Very probable remote root vulnerability in cfengine

[Shaun Clowes <shaun () securereality com au>]

> As you can set %s%s%s freely, and it's passed almost without checking
> as-is to syslog(), it shouldn't be too difficult for Joe
> Hacker to exploit this.
>
> EXPLOIT:
> --------
>
> Not my business; I'm sure someone will produce one sooner or later though.


As a member of the 'security community' I can say that I certainly appreciate
each and every security vulnerability that is discovered and reported by everyone.
If security one day becomes a priority and people are aware of the issues, the
Internet will be a much safer place.

Having said that, this particular advisory is an example of something I find
extrememly frustrating. This bug in particular is almost certainly remotely
exploitable, I'd agree with this, however, I don't think that makes life very
fair for the average systems administrator. If she reads the advisory, she is
told it should be vulnerable not that it is. This could lead her to having to
upgrade a service, possibly on a critical machine for no reason if the problem
is found to be non exploitable.

The security community is in great danger of being a victim of its own sensationalism.
Reports of problems that don't really confirm an issue are like the story of
the 'boy who cried wolf'. There may or may not be a wolf, but if enough times
reports like this are released which turn out not to be exploitable, massive
amounts of credibility (along with sysadmin sleep) are lost. Eventually it leads
to advisories being ignored en masse.

I completely understand that some people are not capable/interested in creating
exploits for problems they find. However, it is important that SOMEONE does
before the problem is announced. I'm sure the VULN-DEV mailing list can help
here, I know my company (SecureReality) is more than willing to help with investigating
problems people have found, and I'm sure most of the other Security groups/teams
would be willing to also.

In the case of SecureReality, we ensure we successfully exploit every problem
we report, from buffer overflows to cgi input validation. Some would say security
companies have no place in writing exploits, I couldn't disagree more. We write
exploits all the time, not to hand to script kiddies but to verify problems
we find, we have no intention of ever publishing any exploit we've written.


The security industry is full of sensationalism, which may scare people, but
given time it'll only annoy them.

I'd also just like to say that this particular advisory is fairly well done
in that it successfully shows that there is an extremely high probability of
the problem being exploited, this rant is more a result of the continual stream
of vague advisories flowing onto lists like this.

Cheers,
Shaun