Re: remote kernel exploits?

[sa7ori () tasam com (Stephen)]

hello,
There has been a bit of speculation regarding similar concerns in the
past, and I thought I might chime in with a bit of subjective commentary.
I think anyone that is even remotely knowledgable has pondered this issue
once or twice. I (personally) was quite interested in issues similar to
that which you stated, specifically with ICMP and the linux kernel. I
delved into it a bit, but soon realized that much of it was beyond my
coding skill. I am fairly confident (not only) that there are weaknesses
in the Nework layers of open source kernels, but also that there are
individuals who have found ways to exploit such weaknesses. I would
speculate that whomever has found a method to exploit such a
vulnerability, is far removed from the "Information Security"  community
and its pond scum (kiddies, sec mailing lists, etc :-).  Please also
consider the possibility that vulnerabilities in Open Source kernels don't
necessarily have to be inherent in the contributing developers code.
Distro sites, CVS's, all are VERY accessible.  Honestly, when was the last
time you scrutinized the pgp'd checksums of some software you were
grabbing from your favorite distribution site!? It seems that many people
in the Security community take a "system-centric" approach to security.
People tend to focus on the system specific facets by searching for "magic
bullets" and following stringent guidlines. This technology is NOT
formulaic. By its very nature, its amorphous, and as such, stringent and
formulatic security policies are ineffective. In response to your
assumption about the reality of such an exploit, I would suggest that you
not be so quick to assume that because nothing has popped up on a
vuln-dev-type mailing list, or that because the kiddies arent trading it,
it doesnt exist.

I suggest "Linked" by Albert-Laszlo Barabasi.

I am finding you can sometimes learn more from an unlikely source
than by going "straight to the horse's mouth", we just gotta keep our eyes
open.

On Sun, 8 Sep 2002 andy_mn () hushmail com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey
>
> I've been hearing about this for the past year, but always shrugged
> it off as fun-and-games at best or FUD at worst. A few days ago, though,
> I posed the question to a friend who has been a very reliable source
> in the past concerning exploit rumors and security gossip (among
> many other things, he was able to give me two week's warning about
> the Apache chunked encoding hole). He said in no uncertain terms
> that although he has no substantial information concerning the flaws,
> the Linux kernel, FreeBSD/OpenBSD kernel, and possibly other kernels
> contain remote vulnerabilities that were discovered independently by
> both a Bindview employee and/or an individual using the nickname ~el8.
>
> The bugs are said to have something to do with integer manipulation in
> the kernels' TCP/IP stacks. That's all he was able to offer me, but was
> very forward in saying that he has full confidence based on
> conversations with others that these bugs do indeed exist.
>
> Now, there's always the chance I'll be wrong, but unless someone wishes
> to comment on the technical plausibility of these vulnerabilities, I
> have several second-rate reasons as to why I believe these rumours
> are most likely just figments of the imagination:
>
> - - I have not seen any incident reports on Incidents, or any other
> mailing list for that matter.
>
> - - You'd think several high profile sites would've been attacked already
> with such devastating exploits, but I've seen no reports of this. In
> fact, if the kids really did have such an exploit, you'd think they'd
> tag their h4ndl3z all over high profile sites. But according to Alldas,
> high profile defacements have been virtually nonexistent in the last
> year or so.
>
> - - Given the skill required to craft such an exploit, I'd think it
> would be way out of the grasp of the kids. Since no researcher has
> come forth with such a vulnerability, it's logical to conclude that
> this does not exist.
>
>
> Anyway, I'm very interested in hearing what others have to offer
> concerning these rumors. Even if it's for reassurance ;>
>
> - -- Andy
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlwEARECABwFAj17ObAVHGFuZHlfbW5AaHVzaG1haWwuY29tAAoJEDRxILB1JtUKPLoA
> n1do1g9fG+QCaKe5+dFeMu9Rw5KNAKCOLV2ToVpNRmmH2V2t1sdBsZi6ew==
> =h3o0
> -----END PGP SIGNATURE-----
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com