Full Disclosure mailing list archives

RE: No Subject

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 20 Oct 2003 17:08:34 -0500

-----Original Message-----
From: mitch_hurrison () ziplip com [mailto:mitch_hurrison () ziplip com] 
Sent: Monday, October 20, 2003 3:44 PM
To: frank () knobbe us
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] No Subject

I think you misinterpreted my argumentation. In my eyes
anyone who is not independently capable of verifying
the exploitability, or atleast devising the theory
behind possible exploitation, of the ossh nul overflow
is a "script kiddie". As you so aptly put it.

So there's the 1% l33ts like you, and then there's the 99% of the human
populace that has other things to do besides squirrel around with code.
I get it.

Now if you're somewhat at home in heap mismanagement bugs
you should know that this issue, provided you have a
favourable heap layout (hooray for memory leaks), 
is exploitable on atleast 
Linux. That's as far as I'll go. Remember apache? One
man's DoS is another man's remote. For god's sake even
ISS believes the issue to be exploitable. And Duke may
be alot of things, stupid he is not. (ok so maybe that's
up for debate, hi Mark!) As far as the PAM issue goes,
that's fucking trivial.


I learned in high school (which was a long long time ago) that there are
those that say they can do something, and then there are those who don't
say anything but do a lot.  You appear to fall into the first category
based on your ramblings.


Now at the end of the day it's neither my duty nor my desire
to release anything. I don't owe you shit. And I'm not about
to post something that took alot of research just to make a 
moot point. Any admin who did not patch their servers using 
"oh it's just a DoS" as justification should be fired on the 
spot. Again, and this is getting tiresome, a bug was 
recognised to be a security issue. Security issues get a 
priority to patch. It'd be a different story if it wasn't 
published as being a security issue.

Once again, another clueless code monkey who "admins" a network of one.
I'm not impressed.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: No Subject, (continued)
- - - Re: Re: No Subject Byron Copeland (Oct 21)
    - Re: Re: No Subject Peter Busser (Oct 22)
    - Linux (in)security (Was: Re: Re: No Subject) Peter Busser (Oct 22)
    - Re: Linux (in)security (Was: Re: Re: No Subject) Bruce Ediger (Oct 22)
    - Re: Linux (in)security (Was: Re: Re: No Subject) Darren Reed (Oct 22)
    - Re: Linux (in)security (Was: Re: Re: No Subject) Gary Flynn (Oct 22)
    - Re: Linux (in)security (Was: Re: Re: No Subject) Ron DuFresne (Oct 23)
    - Re: Linux (in)security (Was: Re: Re: No Subject) Paul Schmehl (Oct 22)
    - Re: Linux (in)security (Was: Re: Re: No Subject) Ron DuFresne (Oct 23)
    - Re: Linux (in)security (Was: Re: Re: No Subject) George Capehart (Oct 23)
- RE: No Subject Schmehl, Paul L (Oct 20)