Re: openssh exploit code?

[security snot <booger () unixclan net>]

Dearest Sir,

Can you provide any sort of technical argument as to why this bug is not
exploitable?  Or are you going to simply stand behind the typical OpenBSD
zealot view and say it can't be exploited, only because there is not
public "proof of concept" code available?

ISS' X-Forces claim to have created a working proof-of-concept code for
the bug.  Are you calling those respectable young men and woman liars?  Or
maybe you're sore because they're responsible for publishing information
on the first remote bug (that was demonstrated to be exploitable, mind
you) for OpenBSD?

Maybe you're from the same cult that claimed negative-length memcpy's
aren't exploitable.  Or one of those who think that the bug-ridden
"privsep" codes used throught OpenBSD are implemented correctly, thus
adding a worthwhile layer of security to your operating system.  You
probably enjoy the multiple levels of admitted "obscurity features" (check
the Brad Spengler vs. OpenBSD Team threads just about anywhere, Theo's
quotes on w^x being an "obscurity feature" to thwart attacks from lesser
skilled attackers - since after all, the lesser skilled attackers are the
real threat, right?).

So yeah, FUD.  If I told you there are still exploitable preauthentication
bugs in OpenSSH, would that just be FUD too?  FUD until the next advisory
is published on that horribly designed codebase, FUD until the threat is
demonstrated, right?  Bet you'd like to see yourself eat your words, so
you can generate a little more revenue with your security job. . .

So, please, if you're going to take a stance against this bug being
exploitable, let's see what you've done in an attempt to exploit it.
Let's see something definitive showing why it can't be done.

Or keep blinding supporting OpenBSD "The Nearly POSIX Compliant Unix-Like
Operating System With Obscurity Features (tm)" and sounding like a jackass
here.

- the master of mprotect, champion of privilege seperation, rapist of theo

Incidently, on your Ritchie quote - ever stop to think what he'd think of
someone like Theo who can't grasp the simple languaged used to define the
POSIX standards?  ;)

ps: provide an adequate technical discussion against the exploitability of
this particular bug, and if it proves to be sound I'll release an exploit
for a different unpublished OpenSSH bug for you guys to write up some
advisories on!  (err, must be FUD:)

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

On Sat, 11 Oct 2003, Henning Brauer wrote:

> On Sat, Oct 11, 2003 at 07:56:50AM -0400, S . f . Stover wrote:
> > Has anyone actually seen exploit code for the Openssh 3.6.1 vulnerability?
> > I've been googling around and while I see people talking about exploit code
>
> they are liars.
> it's FUD.
>
> --
> Henning Brauer, BS Web Services, http://bsws.de
> hb () bsws de - henning () openbsd org
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html