RE: No Subject (re: openssh exploit code?)

[Ron DuFresne <dufresne () winternet com>]

Funny thing here is;  fixing up openssh/ssl does not require a reboot, so
'downtime is minimal" if tere's any real downtime at all.  So, arguements
about the effects on a ebusiness/work modle are just plain stupid.  At
least for this patch/threat vector. <I am an admin in parts of my position
Paul, time to change hats soon and  go gatekeeper though... (grin)>  hell,
if there's real need for concern of 'downtime' limit exposure while
working things out by filtering/firewalling access to the ssh port.

Now, there has been alot of interesting discussion on this thread, thanks
to all for 'sharing'.  One point that strikes me on Mith's arguements is
that his stand puts him in an "anti-social" mode;  "these are my work, my
toys, and you can  see nor play with them"  I do like and apppreciate many
of Mitch's points, but, I think there's a far line being crossed when one
wishes to remove themselves from the social model/norm.  Especially in
light of the fact that most folks keep trying to convince Mitch they do
not want his toys, nor are they interested inn his supplying them with any
toys, they just seek informatioon.  Mitch's stand seems to play on the
old/new line of 'knowledge/information being a commodity', which is
pretty much the stance of the current security big business thing that
kinda brought this list into existance.  Mitch;s stance seems to be
rife with a moral code close to that which my father grew up in post
WWII/depresion.  I'm not sure that clinging to the past is the proper
way to proced in the present... But, I have to conceed, if Mitch
does to buy that  solitary island in the ocena to seclude into, I
might be interested in the far side lagooon.


Still reading, thanks,

Ron DuFresne


On Tue, 21 Oct 2003, Bassett, Mark wrote:

> If I have say.. 100 boxes with ssh on them I would not be likely to drop
> them all, install the patches and bring them back up for an exploit that
>
> <snip>
> *****May****** allow a remote attacker to corrupt heap memory
> Which in turn
> *****could**** cause a
> denial-of-service condition.
>
> Furthermore
> It ***may*** also be possible for an attacker
> to execute arbitrary code."
>
> Sounds to me that they are saying.. well there might be a problem, we're
> just letting you know of the possibility.
>
> Mark Bassett
> Network Administrator
> World media company
> Omaha.com
> 402-898-2079
>
>
> -----Original Message-----
> From: mitch_hurrison () ziplip com [mailto:mitch_hurrison () ziplip com]
> Sent: Tuesday, October 21, 2003 12:18 PM
> To: Schmehl, Paul L
> Cc: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] No Subject (re: openssh exploit code?)
>
> Hi Paul,
>
> I'm glad to see you are capable of a sensible response. I see
> your points and it's nothing I haven't heard before. The thing
> is, your arguments don't really hold any ground in this particular
> event.
>
> I've said all along that this issue has been publicly recognised
> as being a security issue from the getgo. Besides my personal
> beliefs that has been the main fuel behind my arguments against
> exploit or practical exploit methodology disclosure for an issue that is
> potentially devastating.
>
> Now you state the following:
>
> > Again, you miss the point entirely.  The folks that have
> > asked you for more information are not looking for "fun".
> > They are trying to make real life decisions about taking down
> > critical systems for **unscheduled downtime** to patch them.
> >  You fail to understand that many admins can't simply take
> > a system down because Mitch says they should.  They need solid
> > arguments to take to their bosses to explain why this particular
> > system needs to be downed *today* rather than waiting for a
> > regularly scheduled maintenance window.  When a worm comes out,
> > it's a no brainer. (But even then sometimes the bosses don't
> > believe you until they've been burned at least once.) But admins
> > can't take systems down every time someone cries "Patch now!
> > This is exploitable!"
>
> Your main argument being that you can't take some yahoo's word
> for it when they claim this issue is exploitable. The thing is
> you don't have to take some yahoo's word for it.
>
> Let me quote from CERT Advisory CA-2003-24:
>
> "There is a remotely exploitable vulnerability in a general buffer
> management function in versions of OpenSSH prior to 3.7.1. This may
> allow a remote attacker to corrupt heap memory which could cause a
> denial-of-service condition. It may also be possible for an attacker
> to execute arbitrary code."
>
> And allthough I hate to quote the childmolestors at CERT on
> anything, it would seem to me that a CERT bulletin, which
> indicates the likely exploitability, of this issue is all
> the official leverage an admin would need to convince
> management of the need to patch no?
>
> So with that base covered, why is there still a need for admins
> to hunt exploit code on public forums, unwittingly shouting
> "look world, I haven't patched any mission critical systems on
> my network yet". It's a sad state of affairs when admins are
> forced to seek out proof beyond the bulletins of an officially
> recognised source of security alerts such as CERT, before given
> the green light for downtime.
>
> So I fail to see why you, or any admin for that matter. Would
> need go on "what mitch says" in the first place. My intention
> was to make a point about people taking exploits and the
> theory behind exploitation as a given. They see it as a commodity
> not recognising the hard work people put into the research
> involved.
>
> Secondly I wanted to make people think about the "need" for an
> exploit. First of all we have CERT issueing an official bulletin
> providing every admin in the world with the leverage they need
> to justify downtime. Secondly all the bugdetails and the impact
> of the bug have been recognised. What remains is the actual
> practical, public, exploitation of the problem. The theory of
> which is readily available for anyone willing to put in the time.
>
> So, allthough I must say I was pleasantly surprised to see you make
> an effort at normal debate, I still believe none of your arguments
> apply to this case. Admins shouldn't try to be hackers and I think
> you'll agree that most hackers shouldn't try to be admins.
>
> With that solved, I dare to hold to my earlier statement
> that there is no need for this exploit to be disclosed. Nor
> is there a need for the practical methodology behind the
> exploit to be disclosed. There is however, a need for people
> who regard the research of others as a commodity that is theirs
> for the taking, to rethink their outlook on life.
>
> With regards,
> Mitch
>
> > -----Original Message-----
> > From: Schmehl, Paul L [mailto:pauls () utdallas edu]
> > Sent: Tuesday, October 21, 2003, 8:48 AM
> > Cc: full-disclosure () lists netsys com
> > Subject: RE: [Full-disclosure] No Subject (re: openssh exploit code?)
> >
> > > -----Original Message-----
> > > From: mitch_hurrison () ziplip com [mailto:mitch_hurrison () ziplip com]
> > > Sent: Tuesday, October 21, 2003 2:23 AM
> > > To: Schmehl, Paul L
> > > Cc: full-disclosure () lists netsys com
> > > Subject: Re: [Full-disclosure] No Subject (re: openssh exploit
> code?)
> > > Again, what is it about your personality that makes you
> > > incapable of taking part in an adult discussion of
> > > responsible disclosure issues? Is it that anyone who has a
> > > different opinion than yours is automatically not worth your
> > > time? That sounds kind of nazi-like to me mr. Schmehl.
> >
> > Oops!  Godwin alert!
> >
> > Mitch, I've taken part in quite a few adult discussions.  In this one
> I
> > deliberately choose to mirror your behavior on the list.  I know you
> > won't see that or agree with it, but others will.  You come across as
> an
> > arrogant, condescending jerk who thinks they're superior to 99.99% of
> > the people on this list.  How do you think people should react to
> that?
> > By cheering you?
> >
> > If you're such a great coder that you can figure out exploits when no
> > one else can, yet you're unwilling to share even the *theory* behind
> > them to this list, then why do you bother posting about it?
> Logically,
> > the only reason can be to inflate your own image and ego.  It's like
> the
> > little kid who taunts the others at school because he knows something
> > that they don't.
> > > It's quite saddening to see this list turn into a pack of
> > > hungry saliving fools at even a hint of an exploit for this
> > > issue. You seem to have more of a hardon for the "juarez"
> > > than any "kiddie" I've ever met. Even when trying to debate
> > > some of the issues surrounding the disclosure of such a
> > > potentially devastating exploit all one gets is "yeah, yeah.
> > > Now make with the warez".
> > I can't speak for others, but I really could care less about the
> > exploit.  That's not where my interests lie.  Coding bores me, and I
> > only do it when I have to, to solve a problem.  "Slaving away" over
> > code, as security snot whined about, is not my idea of time well
> spent.
> > I also don't have any aspirations at mastering quantum physics, but I
> > *do* expect the physicists to treat me with the same respect with
> which
> > I treat them.
> >
> > If you don't like being treated like a jerk, then don't act like one.
> >
> > > As far as it being "easy" to exploit. No it isn't. You have
> > > to abuse a lesser issue, a memory leak to be more precise, to
> > > get a heap layout that will allow you to survive the initial
> > > memset without landing in bad memory. Now without going into
> > > details anyone who manages to survive the initial memset
> > > should be able to debug the crash to the point of
> > > exploitation. This is managable on atleast Linux IA32 systems.
> > Now this is useful information, which you *could* have shared a long
> > time ago, sans attitude.
> >
> > > Now I'll try and bring my original point forward one last
> > > time, allthough I fear it will just call for more immature
> > > commentary from the likes of Paul Schmehl.
> > >
> > > There is no need for anyone to release this exploit. It will
> > > change nothing about the fact that you need to upgrade your
> > > daemons. It will change nothing about the bugdetails already
> > > published. There is no reasoning for it other than "but I
> > > want to learn how to do it".
> >
> > This is where you go off the track.  You clearly don't understand how
> > networks and infrastructures work.  As others have already pointed out
> > to you, *some* systems can't be taken offline "just" to patch a
> > *possible* exploit.  Yeah, I know that there's a group of folks that
> > freak out when they hear that.  But in the real world, decisions about
> > taking critical systems down are based on a *number* of factors, not
> > *just* on whether or not a patch has been released.  So, when people
> cry
> > "It's exploitable" but no clear explanation of why is forthcoming,
> > admins tend to discount the claims, chalking them up to more FUD.
> After
> > all, there are guys (like security snot did) who will claim they "0wn"
> > you all day long.  Where's the proof?  Talk is cheap.
> >
> > You don't have to release any code to explain the problem.  You can
> > write a paper, like Aleph did in "Smashing the Stack....", which
> > explains the *theory* behind the problem without providing any usuable
> > code for "kiddies".  Or you can provide some details of the theory, as
> > you have above, that will point others in the right direction.
> >
> > > And sorry but that's just not
> > > good enough to warrant the mayhem that will ensue when an
> > > exploit like this is released. So if you in your academic
> > > pursuits decide to tackle this problem. By all means go right
> > > ahead. But I think anyone who's discovered the real impact of
> > > this bug will realise that disclosing the exploit to the
> > > general public is highly irresponsible.
> > This, of course, flies in the face of the entire purpose of this list,
> > but I'll leave that argument to others.
> > > So instead of trying to poke fun at me Paul, why don't you do
> > > your duty as a knight of Full Disclosure and provide the good
> > > people of this list with a definite analysis on the ossh 32k
> > > nul heap munging? (buzzword quota filled).
> > Oh, I'm not poking fun at you at all, Mitch.  I'm mirroring your
> > attitude and behavior on the list.  I hope you will see that, but who
> > knows.
> >  >
> > > There is simply no need for exploits, especially not one that
> > > would affect people and nations around the globe. You have to
> > > look beyond your own little egocentric world of friendly
> > > exploit dev and "but it's fun", and take a look at the bigger
> > > picture.
> > Again, you miss the point entirely.  The folks that have asked you for
> > more information are not looking for "fun".  They are trying to make
> > real life decisions about taking down critical systems for
> **unscheduled
> > downtime** to patch them.  You fail to understand that many admins
> can't
> > simply take a system down because Mitch says they should.  They need
> > solid arguments to take to their bosses to explain why this particular
> > system needs to be downed *today* rather than waiting for a regularly
> > scheduled maintenance window.  When a worm comes out, it's a no
> brainer.
> > (But even then sometimes the bosses don't believe you until they've
> been
> > burned at least once.) But admins can't take systems down every time
> > someone cries "Patch now!  This is exploitable!"
> >
> > I personally would prefer that every system gets patched the day the
> > patch is released.  The reality is that it just doesn't happen that
> way.
> > When a professor is in the middle of a major experiment and you tell
> him
> > you have to take his system down *now*, what do you think his reaction
> > is going to be?  If he's running a four day simulation, and you asking
> > him on day three, you aren't going to get a positive reaction.
> There's
> > a lot more to taking systems offline to patch them than the word of
> > someone on this list.
> >
> > Try to think outside your own small box.
> >
> > Paul Schmehl (pauls () utdallas edu)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu/~pauls/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> ************************************************************
> Omaha World-Herald Company computer systems are for business use only.
> This e-mail was scanned by MailSweeper
> ************************************************************
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html