Re: re: openssh exploit code?

[Frank Knobbe <frank () knobbe us>]

Hey guys,

don't want to cause a stir, but here are some thoughts I have since that
SSH issue was dear to me when it came out.

On Mon, 2003-10-20 at 05:28, mitch_hurrison () ziplip com wrote:
> What is the added value of anyone
> disclosing an exploit to you? 

Proof that it is indeed exploitable. I personally don't need an exploit,
just show me in a discussion where it is exploitable. I still don't
believe that the first issue (heap overwritten with 0's) is exploitable
other than a DoS. Now the PAM issue probably is, I haven't looked at
that.

Just so you know where I'm coming from: I get pretty pissed off when
unsubstantiated rumors cause a commotion that everyone is jumping on
without having done a review or proof of its existence, especially when
it's used for feed the FUD mill. For example, if someone spreads a rumor
that the latest version of Apache is exploitable with a remote root
exploit (not just DoS) in the mime_module, but while reviewing the code
it just doesn't seem possible, then that person making those claims
better back it up with some data. Doesn't have to be exploit code, but
an analysis that convinces others.

> A) You know the bug exists. 
> B) You know it's probably a good idea to patch it. 

heh... Nothing wrong with that statement. However, the severity of the
issue (DoS vs. remote-root) would be helpful in determining if admins
should yank the boxes during production, or wait to patch after hours.

> But to put your mind at ease. Yes it is exploitable. Will you
> get an exploit from me? Hell no. 

Okay, please show us in discussion where it is exploitable. No need for
exploit code to feed the script kiddies, just convince me with an
analysis. 

I still believe that the heap-write-0 issue is not exploitable other
than a DoS. If you think it is, please show us how.


Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part