Vulnerability Development mailing list archives
Re: Kill the DOG and win 100 000 DM
From: //Stany <stany () NOTBSD ORG>
Date: Sun, 5 Nov 2000 16:40:35 -0500
On Mon, 6 Nov 2000, Lincoln Yeoh wrote:
At 10:12 PM 11/4/00 -0000, Talisker wrote:
[...]
I suspect the prize money may draw a few zero-day exploits out of the woodworkWell they only have the ports open on the first day. It only starts to get interesting on the 3rd and 4th days.
Probably more fun to get an evaluation copy or two and mess about with it for 30 days.
For starters, PitBull is freely available for non-commercial use - http://www.argusrevolution.com/pitbullsupport.html I played with it for a bit, but it is extremely cumbersome in day to day operations on a multi-user system. The version that they release for free (PitBull Foundation MU 3.0) installs only on a particular releases of Solaris 7 - 10/98 and 8/99 inclusive - which, IIRC, corresponds to stock Sol 7 as first shipped through to MU3 of Sol 7. If you install MU 4, or, God forbid, roll on 7_Recommended, you will end up with having to wade through pages and pages of patch compatability information to identify if the patch in a particular revision as you installed it is compatable, or not. This leads me to believe that some of the exploits might still be possible on a stock install of free PBF MU 3.0 if it is installed according to the 6 double paged installation guide provided on teh web site - libc and ttdb and comsat exploits in particular. Of course PitBull does provide the patch cluster with their patches integrated, but I were not cool enough to have a valid username/password pair for the support section on the commercial Argus site to download them. Of course the version that Argus tests will be the commercial one, so expect it to be fully patched. More info about patches: https://www.argus-systems.com/support/updates/sol7.0.sparc/pitbull30.shtml root password is rather useless to give out as even stock Solaris will not let one to log in over the network as user, same thing is for isso/sa/so users on PBF MU 3.0, and it's unlikely that there will be any other accounts.
But such publicity stunts are always useful. You get free media exposure for spending the premium on the insurance (if insured), or DM100,000 * probability of hack.
As it stands now, the contest is rather rigged, as while the Argus engineers who configured the system do understand the differences in priviledges between isso, sa, root and so users that PitBull needs, it is unlikely that this and other security concepts will be fully grasped by an average SA deploying the B2 level system, and misconfigured system will end up providing fake security. So in my humble opinion a more representative contest would be if a person from a .com, with lots of Solaris, or Linux, or NT, or whatever experience were given the Sun box, a Solaris CD, an Argus CD, a heap of documentation, and a couple of days to get it running, and then the system he configured be put up for a break-in attempts, because such contest in turn would be actually representative of a larger chunk of PitBull installations in the wild. Of course Argus will never agree to such a contest, as in that case they are likely to loose face due to the user mixup. If they do, I'd have to agree that they have balls and confidence in their technical writers. Signed: //Stany -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +--------+ My words are my own. LARTs are provided free of charge. +---------+
Current thread:
- Kill the DOG and win 100 000 DM Pluym Christian (Nov 05)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 05)
- Re: Kill the DOG and win 100 000 DM Steve (Nov 05)
- Re: Kill the DOG and win 100 000 DM Talisker (Nov 05)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 06)
- Re: Kill the DOG and win 100 000 DM //Stany (Nov 06)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 06)
- Re: Kill the DOG and win 100 000 DM //Stany (Nov 06)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 07)
- Re: Kill the DOG and win 100 000 DM ratz (Nov 07)
- Message not available
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 07)
- Re: Kill the DOG and win 100 000 DM Sven van 't Veer (Nov 07)
- Message not available
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 07)
- Re: Kill the DOG and win 100 000 DM Talisker (Nov 05)
- <Possible follow-ups>
- Re: Kill the DOG and win 100 000 DM Shawn Badolian (Nov 07)
- Re: Kill the DOG and win 100 000 DM Ken Pfeil (Nov 07)