Bugtraq mailing list archives
Re: Very probable remote root vulnerability in cfengine
From: Scott Gifford <sgifford () TIR COM>
Date: Tue, 3 Oct 2000 04:06:46 -0400
Shaun Clowes <shaun () securereality com au> writes:
As you can set %s%s%s freely, and it's passed almost without checking as-is to syslog(), it shouldn't be too difficult for Joe Hacker to exploit this. EXPLOIT: -------- Not my business; I'm sure someone will produce one sooner or later though.As a member of the 'security community' I can say that I certainly appreciate each and every security vulnerability that is discovered and reported by everyone. If security one day becomes a priority and people are aware of the issues, the Internet will be a much safer place. Having said that, this particular advisory is an example of something I find extrememly frustrating. This bug in particular is almost certainly remotely exploitable, I'd agree with this, however, I don't think that makes life very fair for the average systems administrator. If she reads the advisory, she is told it should be vulnerable not that it is. This could lead her to having to upgrade a service, possibly on a critical machine for no reason if the problem is found to be non exploitable.
Just so that nobody thinks that this is the opinion of the entire list, I disagree with this pretty violently. I would much rather see a report of a potential or likely bug well before an exploit is written, so that the software is fixed and I'm upgraded *before* script kiddies have started taking advantage of this exploit. I think that the idea that if there is no exploit you shouldn't bother to upgrade is flawed; if there is a bug that looks like there's even a small chance it could be exploited, it should be fixed and systems upgraded as soon as possible; otherwise, there's a good chance that somebody with more time on their hands than the original discoverer will find the problem, and figure out an exploit. The solution to users seeing so many advisories that they start to ignore them is to use systems that are easy to upgrade, so that a user doesn't have to much care whether a bug is likely to be exploitable; they just upgrade their software as a matter of routine when security-related upgrades are available. Just my 2 cents, -----ScottG.
Current thread:
- Very probable remote root vulnerability in cfengine Pekka Savola (Oct 02)
- Re: Very probable remote root vulnerability in cfengine Ben Collins (Oct 02)
- <Possible follow-ups>
- Re: Very probable remote root vulnerability in cfengine Shaun Clowes (Oct 02)
- Re: Very probable remote root vulnerability in cfengine Sergey Kogan (Oct 03)
- Re: Very probable remote root vulnerability in cfengine David LeBlanc (Oct 03)
- Re: Very probable remote root vulnerability in cfengine Scott Gifford (Oct 03)