Bugtraq mailing list archives
Re: Very probable remote root vulnerability in cfengine
From: Shaun Clowes <shaun () securereality com au>
Date: Tue, 3 Oct 2000 08:48:52 AEST
As you can set %s%s%s freely, and it's passed almost without checking as-is to syslog(), it shouldn't be too difficult for Joe Hacker to exploit this. EXPLOIT: -------- Not my business; I'm sure someone will produce one sooner or later though.
As a member of the 'security community' I can say that I certainly appreciate each and every security vulnerability that is discovered and reported by everyone. If security one day becomes a priority and people are aware of the issues, the Internet will be a much safer place. Having said that, this particular advisory is an example of something I find extrememly frustrating. This bug in particular is almost certainly remotely exploitable, I'd agree with this, however, I don't think that makes life very fair for the average systems administrator. If she reads the advisory, she is told it should be vulnerable not that it is. This could lead her to having to upgrade a service, possibly on a critical machine for no reason if the problem is found to be non exploitable. The security community is in great danger of being a victim of its own sensationalism. Reports of problems that don't really confirm an issue are like the story of the 'boy who cried wolf'. There may or may not be a wolf, but if enough times reports like this are released which turn out not to be exploitable, massive amounts of credibility (along with sysadmin sleep) are lost. Eventually it leads to advisories being ignored en masse. I completely understand that some people are not capable/interested in creating exploits for problems they find. However, it is important that SOMEONE does before the problem is announced. I'm sure the VULN-DEV mailing list can help here, I know my company (SecureReality) is more than willing to help with investigating problems people have found, and I'm sure most of the other Security groups/teams would be willing to also. In the case of SecureReality, we ensure we successfully exploit every problem we report, from buffer overflows to cgi input validation. Some would say security companies have no place in writing exploits, I couldn't disagree more. We write exploits all the time, not to hand to script kiddies but to verify problems we find, we have no intention of ever publishing any exploit we've written. The security industry is full of sensationalism, which may scare people, but given time it'll only annoy them. I'd also just like to say that this particular advisory is fairly well done in that it successfully shows that there is an extremely high probability of the problem being exploited, this rant is more a result of the continual stream of vague advisories flowing onto lists like this. Cheers, Shaun
Current thread:
- Very probable remote root vulnerability in cfengine Pekka Savola (Oct 02)
- Re: Very probable remote root vulnerability in cfengine Ben Collins (Oct 02)
- <Possible follow-ups>
- Re: Very probable remote root vulnerability in cfengine Shaun Clowes (Oct 02)
- Re: Very probable remote root vulnerability in cfengine Sergey Kogan (Oct 03)
- Re: Very probable remote root vulnerability in cfengine David LeBlanc (Oct 03)
- Re: Very probable remote root vulnerability in cfengine Scott Gifford (Oct 03)