Re: No Subject (re: openssh exploit code?)

[Peter Busser <peter () adamantix org>]

Hi!

> As far as it being "easy" to exploit. No it isn't. You have to
> abuse a lesser issue, a memory leak to be more precise, to get
> a heap layout that will allow you to survive the initial memset
> without landing in bad memory. Now without going into details
> anyone who manages to survive the initial memset should be able
> to debug the crash to the point of exploitation. This is managable
> on atleast Linux IA32 systems. 

> There is no need for anyone to release this exploit. It will change
> nothing about the fact that you need to upgrade your daemons. It
> will change nothing about the bugdetails already published. There
> is no reasoning for it other than "but I want to learn how to do it".
> And sorry but that's just not good enough to warrant the mayhem that
> will ensue when an exploit like this is released.

I think you are right here. Having the exploit doesn't make the bug more or
less exploitable. I'm really impressed that people are able to exploit such a
bug.

However, it still makes me wonder: What to do about this kind of problems?
Patching OpenSSH is one thing of course, but there are bound to be more
problems like this that are not known at this moment. Would it be sufficient to
tighten up the malloc implementation? Or is more than that needed?

> Now on a larger scale, I think it's rather foolish to cop an attitude
> that assumes anything that doesn't exist in the public eye isn't
> possible. It reeks of the same arrogance I'm accused off. Is it 
> arrogant to step forward to try and explain why noone who managed
> to exploit ossh is willing to step forward? Maybe it is. 

No that is not arrogant. But so far there have been personal attacks on Theo de
Raadt by someone who calls himself ``Theo rapist'' and many accusations about
bug ridden privsep code and what not. Big words, but without any technical
details. Or at any technical explanation for that matter. People on this list
are simply trying to figure out wether this is a troll (or FUD) or not. At
least that is my impression.

Words are cheap, it is proof that counts. A working exploit is of course the
ultimate proof, that's a fact. Therefore it shouldn't be surprising that people
ask for exploit code. If you have such a code, but do not want to release it,
fine. I could claim to have such an exploit too. But I wouldn't be able to
explain any technical details about it. So I guess that disclosing (some)
technical details about it is the second best proof.

> Fact 
> remains that exploiting this issue requires creativity beyond
> the pre-chewed papers. And that's why you're not seeing the regular
> array of mediocre "hackers" producing exploit code.

Right, it is very impressive.

> I'd like to
> think that anyone who was capable of writing this exploit also
> recognises the potential impact of releasing it.

True and I think it is good that you are so conscientious about it.

> I'm talking about the apaches, the openssh's and the ms rpc's. Time and time
> again it's become apparent that full disclosure simply does not
> function.

I think people take ``full disclosure'' too literally or too seriously. There
is a need for more knowledge about why and how certain bugs are exploitable.
Working exploits are one way to distribute this knowledge. But IMHO it is more
useful to share technical analyses of the problems and ways to prevent such
problems from happening again than exploit code.

> And allthough I realise that there will always be people supporting 
> full disclosure, I think even with the disclosure of vulnerability
> information releasing exploits is something that's not justifiable
> in any way.

Agreed.

> There is simply no need for exploits, especially not one that would
> affect people and nations around the globe. You have to look beyond
> your own little egocentric world of friendly exploit dev and "but it's fun",
> and take a look at the bigger picture. 

Agreed.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html