Security Incidents mailing list archives

Re: how often do 0-days REALLY happen?

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 8 Jan 2002 17:43:21 -0700 (MST)

On Tue, 8 Jan 2002, leon wrote:

I have been reading this list for a couple of years now and I just
got done reading hacker's challenge.  Great book (hi to everyone who
contributed and reads this list, I know David D is one of them).  The
book is quite unique in how it goes about presenting itself.
Basically it is 20 challenges (here is what happened, here are the
logs, and here are some questions).  At the end of the book are the
solutions (how a security professional figured out xy and most
importantly z).


I'm up to about chapter 9.  Very interesting book, and probably of
interest to the readers of this list.

months.  So I ask upon you incidents list (ye who have SO MUCH more
experience then I) do systems being compromised by zero day exploits
really happen (I am sure they happen but I am really curious as to
the frequency and how a professional goes about dealing with a never
seen before exploit.)


As you stated, the vast majority of attacks out there are for older
vulnerabilities.  I can give a few anecdotal examples of 0-day.  (In most
cases, it's an unknown exploit, not an unknown vulnerability.)

- The snmpXdmid exploit.  Search the Incidents archives for "Carko".
Someone found a binary exploit for the snmpXdmid Solaris hole on a
compromised machine.  We analyzed the binary.  As part of the
investigative work, I found evidence for at least 4, and possibly 5,
unpublished snmpXdmid exploits in the wild.  Unpublished means they didn't
appear on the usual mailing lists, no on public websites.

- The .htr worm.  The guys at eEye were given a copy of a worm that
exploited the .htr IIS hole.  This was supposedly before the hole was
known publically (true 0-day?) and is supposed to have been a precursor to
CodeRed (shows some similarities.)  Don't know why the worm wasn't more
"successful".

- There have been several "leaked" exploits, which have been discussed
here and on Bugtraq.  hese include a TESO telnet exploit, and one or two
SSH CRC32 exploits.

And of course, before Bugtraq was prevelant, all exploits that made it
around were "private", stolen, etc...

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

how often do 0-days REALLY happen? leon (Jan 08)
- Re: how often do 0-days REALLY happen? Greg Francis (Jan 08)
- Re: how often do 0-days REALLY happen? Ryan Russell (Jan 08)
- Re: how often do 0-days REALLY happen? Michal Zalewski (Jan 08)
- Re: how often do 0-days REALLY happen? Gamble (Jan 08)
- RE: how often do 0-days REALLY happen? Ofir Arkin (Jan 09)
- <Possible follow-ups>
- RE: how often do 0-days REALLY happen? leon (Jan 08)
- Re: how often do 0-days REALLY happen? Randy Taylor (Jan 09)