Re: Exploit for auth2-pam for vuln linux opensshd

[ATD <simon () snosoft com>]

Are you perfect?



On Wed, 2003-01-08 at 22:54, Jack Ahz wrote:
> Dear reader,
> Yours truly would like to note the following:
>
> Globalintersec Research is a hoax. Unbelievably, the only thing that makes me
> angrier than a 0day factory like ISS, which churns out advisory after advisory
> due to the unethical and illegal auditing of proprietary source code found on
> irc and plan9.hert.org, is a security company consisting of complete morons
> that is able to make money (SOMEHOW) by completely fooling the public.
>
> KF, of GLOBALINTERSEC SECURITY, THIS MEANS YOU!
>
> Note: At least ISS uses illegal means and genuine skills to audit proprietary
> source code and find real, useful bugs.
>
> Let's think about it. KF MADE THIS POST TO VULN-DEV:
>
> -----------------------------
> My question is does anyone know how to programatically do this? Do i 
> need to make use of bit shifting or something? I need only a program to 
> print the list to the screen or something simple. Example output would 
> be ...
>
> AAAA
> BBBBB
> ....
> AAAB
> AAAC
> ...
> and so on but ONLY unique posibilities.
>
> -KF
> -----------------------------
>
> NOTE THAT NOT EVEN THIS QUESTION WAS ERROR-FREE (THE SECOND ENTRY HAS 5 B'S)
>
> So are we to believe that somebody lacking the most basic C-skillz is able to
> craft an exploit for opensshd for linux?
>
> Is it not apparent that if this bug were easily exploitable, SOME FUCKING IDIOT
> would have already posted the exploit to packetstorm, like MR ZENITH PARSEC?
>
>
> KF continues in his vuln-dev post,
> "Hah this is great... and to think a simple question like that stumped my 
> local java AND c++ instructors. "
>
> Where did you go to school, the University of Swaziland?
>
> Anyhow, I am straying off topic. Let not my hate of the KF cloud my message.
>
> The point is this:
> I have looked through the auth2-pam.c file a while ago, and determined that the
> sshd daemon was certainly not exploitable in the way which was described in the
> advisory, due to certain counter variables and corruption of the heap. Now,
> this was a while ago, and I'm only going by what my own memory serves up.
>
> The same goes for the FAKE GLOBALINTERSEC sudo advisory. It is quite apparent
> that the gdb output was fabricated. Running neither one of those programs with
> a few simple command will cause some textbook heap corruption scenario where
> the malloc chunk headers are 'merely overwritten' by a long string of A's. Even
> Mr. FC could have crafted up an exploit in less than 8 months IF THAT WERE THE
> CASE.
>
> Solution:
> KF[GLOBALINTERSEC], admit to the world that you are a fraud and faked gdb
> output in an effort to gain fame. At least I applaud for not signing your name
> as 'KF' to your advisories. Globalintersec would have certainly been out of
> business by now if that were the case.
> If KF admits he is a liar, this will all stop.
>
> Potential Counter-Solution:
> Say KF does not admit he is a fraud. I will be forced to go back through a pile
> of old worthless code to show that his exploitable condition is impossible
> (which is not to say at all that exploitation in some way is impossible).
>
> -- END --
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
ATD <simon () snosoft com>
Secure Network Operations, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part