Re: re: openssh exploit code?

[mitch_hurrison () ziplip com]

Hi Attica,

Let me break it down some more for you:

1) You rely on other people to give you the information
needed to exploit the bug.
2) You've clearly stated that you are incapable of determining
possible exploitation yourself.
3) You acknowledge that the bug has already been publicly
recognised, or fully disclosed if you will, as being a 
security issue. With full details of the bug and full source
available.

All of the above combined leads me to believe you're just 
another run-of-the-mill info-sec "professional" with a 
hardon for the "dark side". Fact remains you have absolutely
no need for this exploit. Who am I to decide this? I'm not
deciding anything, I'm drawing a logical conclusion.

Explain to me how "fully disclosing" exploit code for this
bug would in any way further the full disclosure process
you seem to hold so dear. From where I'm standing the fact
that all bug details are out there and that the full range
of possible security ramifications has been recognised, covers
the full range of "full disclosure" and it's intended purpose.
Of which, granted, I'm not a fan.

Again, as to your argument that you want to find out "how this bug works".
You have the full bug details available. Somehow I doubt you've
even been able to trigger the memset crash. It's your highschool-esque "do my homework for me" attitude which 
I find so offensive.  

So lets recap again.

1) You have the full bug details.
2) You have the full openssh source code.
3) You have a confirmation that is exploitable.
4) You lack the skill to research and write the exploit.

I don't give a flying fuck about wether you can hold your own
in "other areas". I said it before, and I'll say it again.
If you can't write the exploit, you don't need the exploit.
So please do tell, why on earth would you want an exploit
for this bug? And what does disclosing an exploit have to 
do with the full disclosure of a security issue? Please
fully disclose your motivation to me. 

You think it's your right to ask for exploit code? You think
it's your right to leech off of the hard work of others stolen
by some ignorant bastard or leaked by some fame seeking whore?
Oh the arrogance of full disclosure. Woe is you my friend, I
can only hope someday you'll see the errors of your ways. 

With regards,
Mitch
 

> -----Original Message-----
> From: S . f . Stover [mailto:attica () stackheap org]
> Sent: Monday, October 20, 2003, 5:17 AM
> To: mitch_hurrison () ziplip com
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] re: openssh exploit code?
>
> On 20 Oct 03 03:28:02AM mitch_hurrison () ziplip com[mitch_hurrison () ziplip com]
> wrote:
> : That's a fine example of the whitehat leech mentality you're
> : displaying there. Why do you insist on being so dependent on
> : other people's findings?
>
> Not really - just interested in seeing what other people had found.  I don't
> think that qualifies as "dependence".  BTW, I thought "whitehat" implied
> non-disclosure, which isn't really the direction I'm coming from.
>
> : You're supposed to be some sort of
> : "security" expert no?
>
> I've never made such a claim - on this list or any other.
>
> : Well here's an idea, how about you go
> : research the bug yourself and base any conclusions on exploitability
> : on that. Instead of begging the people who put in the work
> : to disclose their research. What is the added value of anyone
> : disclosing an exploit to you? 
>
> Actually, I *am* researching the bug myself.  I didn't realize that asking the
> community for assistance in that research was such a problem.  My most
> insincere apologies to you.
>
> : A) You know the bug exists. 
>
> True.
>
> : B) You know it's probably a good idea to patch it. 
>
> Already done.  However, the more I know about the bug itself the better I can
> learn to assess the patch, as well as further issues.
>
> : So I don't see what the big deal is with it being exploitable
> : or not.
>
> Ok - so why bother flaming me?
>
> : The fact that you don't have the skills to independently research and
> exploit the ossh nul overflow has no bearing on the
> : fact that you should patch your openssh daemons.
>
> I don't really think you are really in a position to assess my skills.
> Regardless, I do believe that this is precisely the point.  I want to learn
> more about how this exploit works.  If there is working code out there that I
> can learn from, why not ask?  If people don't want to give up their code -
> that is perfectly fine with me.
>
> : So unless you
> : plan on owning a bunch of boxen mr. stackheap (!?)
>
> That is definitely not my intent - the people who know me realize this.  The
> people who don't can hold on to their code.  Again, this is OK with me.
>
> : I don't see
> : why the likes of you would need any confirmation or even working
> : exploit code. Disclosing an exploit would at this stage only
> : cause alot of senseless hacking. 
>
> I frankly don't give a shit whether you see benefit in this or not.  This is a
> full-disclosure list.  If I want to ask others for help in this area, I feel
> that is my right.  Conversely, I understand and respect the right of everyone
> else out there to either help me or not.
>
> : But to put your mind at ease. Yes it is exploitable.
>
> Ahhh - thank you so much.  I will sleep better now knowing that you have eased
> my pains of doubt.
>
> : Will you
> : get an exploit from me? Hell no.
>
> Fine - all you had to do then was shut the hell up.  If you have exploit code
> and don't want to give it to me - THAT IS FUCKING FINE WITH ME.
>
> : And I doubt that anyone who
> : put in the research time would just give up their work like
> : that.
>
> Again, this is their right, and I understand it.  I'm glad that you took it
> upon yourself to speak for the list though.
>
> : There is absolutely no justification for the public disclosure
> : of an exploit for this issue. It's been recognised as a security
> : issue and people have been advised to patch.
>
> Who are you to make such a decision?
>
> : Again, putting an
> : exploit in the hands of the greedy and clueless is not something
> : I would want to be responsible for.
>
> Neither would I - but then again we seem to be in a bit of disagreement as to
> whether or not I am "greedy and clueless".  <shrug> You've never met me, nor
> spoken to me, that I know of, so how can you assess?  Besides, it's not like
> other exploit code hasn't made it to this list.  It is FD after all.
>
> : And I doubt any sensible
> : person would release an exploit for this issue. Be it only because
> : successfull exploitation of the bug requires abuse of a lesser
> : but still unknown issue which ensures a favorable heap layout.
> : 
> : I seriously hope noone falls for the trap of releasing exploit code
> : to "prove" a point. Ignorance is bliss. If you can't write the
> : exploit, you don't need the exploit. End of story.
>
> I disagree - not everyone is a coding god like you evidently.  There are those
> of us in the security field with competencies in other areas.  This does not
> diminish a desire or need to learn new things.
>
> I'm a bit stumped here - I thought FD was FD.  But now it's only FD when you
> want it to be?
>
> : With regards,
>
> Yeah, right. 8-)
>
>
> ~S
>
>
> -- 
>
> aka Dolph Longhorn
> attica () stackheap org
> GPG Key ID: 0xF8F859D0
> http://pgp.mit.edu:11371/pks/lookup?search=0xF8F859D0&op=index
>
> "There is no such thing as right and wrong, there's just popular opinion."
> -Jeffrey Goines

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html