Full Disclosure mailing list archives

remote kernel exploits?

From: blake () mc net (Blake Frantz)
Date: Wed, 18 Sep 2002 10:00:50 -0500


- - I have not seen any incident reports on Incidents, or any other

mailing list for that matter.


- - You'd think several high profile sites would've been attacked

already with such devastating exploits, but

I've seen no reports of this. In fact, if the kids really did have such

an exploit, you'd think they'd tag

their h4ndl3z all over high profile sites. But according to Alldas,

high profile defacements have been

virtually nonexistent in the last year or so.

- - Given the skill required to craft such an exploit, I'd think it

would be way out of the grasp of the kids. >Since no researcher has come
forth with such a vulnerability, it's logical to conclude that this does
not

exist.


I'll begin by saying that I am not confirming or denying such an exploit
exists, simply playing devil's advocate.

As you mention in your 3rd point, the skill required to discover and
develop a working exploit for such a vulnerability is far greater than
the skill level of a script kiddy.  With that in mind, wouldn't it be
safe to make the assumption that the people (hypothetically) using this
exploit are equally skilled in hiding their presence on the machine?
Furthermore, what type of 'incident' would be reported?  Interface
problems?  A web defacement?  I woefully disagree that the person(s) who
developed an exploit of this magnitude are going to use it to deface
websites.  Web defacements are generally the acts of RDS abusing script
kiddies, whom you yourself stated would not be the source of this
exploit.  IMHO, suggesting that an person of this technical caliber
would use their skill to deface websites for pure lime light is like
suggesting a world class brain surgeon would expect a Nobel prize for
applying a butterfly bandage.  Additionally, script kiddies generally do
not understand the legal ramification of defacing 'high profile'
websites that have the bankroll to litigate.  It's been my experience
that people of the skill level required to develop such an exploit are
very aware of possible consequences.  If such an exploit exists, I would
expect exactly what is happening now.  Nothing but speculation possibly
derived from someone leaking info.

In short, you can not conclude that something does not exist simply
because you have not found it.

-Blake

Current thread:

remote kernel exploits? andy_mn () hushmail com (Sep 08)
- remote kernel exploits? Azerail (Sep 08)
- Re: remote kernel exploits? Jose Nazario (Sep 09)
- Re: remote kernel exploits? Stephen (Sep 09)
- remote kernel exploits? Blake Frantz (Sep 18)
- <Possible follow-ups>
- remote kernel exploits? isergevsky () hushmail com (Sep 08)
- remote kernel exploits? memetic-engineer () australia edu (Sep 08)
- RE: remote kernel exploits? Yonatan Bokovza (Sep 10)
  - RE: remote kernel exploits? Jacques A. Vidrine (Sep 10)
- RE: remote kernel exploits? Gommers, Joep (Sep 11)
- RE: remote kernel exploits? andy_mn () hushmail com (Sep 12)
  - RE: remote kernel exploits? Andrew Thomas (Sep 12)
  - RE: remote kernel exploits? HalbaSus (Sep 13)
    - RE: remote kernel exploits? silvio () big net au (Sep 13)
    - Message not available
    - RE: remote kernel exploits? silvio () big net au (Sep 13)

(Thread continues...)