Re: openssh exploit code?

[Peter Busser <peter () adamantix org>]

Hello Security Snot,

> You
> probably enjoy the multiple levels of admitted "obscurity features" (check
> the Brad Spengler vs. OpenBSD Team threads just about anywhere, Theo's
> quotes on w^x being an "obscurity feature" to thwart attacks from lesser
> skilled attackers - since after all, the lesser skilled attackers are the
> real threat, right?).

Are you refering to the following discussion?
http://archives.neohapsis.com/archives/openbsd/2003-04/1678.html

I think you haven't thoroughly read the discussion. The obscurity features
refered to in this case are the various address space layout randomisation
(ASLR) features. ASLR is just one of the W^R features.

The ASLR is indeed an obscurity feature. It depends on the assumption that the
attacker does not know the exact placement of the
executable/libraries/stack/heap in memory.

It is a public secret that secure systems do not exist and are not technically
possible at this time. And that is just the technical side of the problem,
there is also a social aspect to security, which is a whole different can of
worms. As such, ASLR is not the final answer to security problems. It is just
a way to raise the bar, and hope that noone is able to jump over it.

Encryption is also an ``obscurity feature''. And encrypted passwords have been
known to be crackable. Does that make encrypted passwords any less valuable? I
don't think so.

The following message proves that at least it is effective against some
attacks:
http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it
This is of course about PaX and not W^R, but the basic feature set is more or
less similar (although PaX predates W^R, lest anyone starts accusing PaX people
from copying features from OpenBSD).

> So yeah, FUD.  If I told you there are still exploitable preauthentication
> bugs in OpenSSH, would that just be FUD too?  FUD until the next advisory
> is published on that horribly designed codebase, FUD until the threat is
> demonstrated, right?  Bet you'd like to see yourself eat your words, so
> you can generate a little more revenue with your security job. . .

There are probably tons of vulnerabilities in OpenSSH. It is after all a rather
complicated piece of software. It is a public secret that complex software
often contains serious bugs. So what exactly is your point? Why are you
restating the obvious?

And when you talk about credibility, I think you are the one here who has a
credibility problem. I mean, you shout about things you apparently do not fully
understand. Take the ``obscurity feature'' above, you use one feature of a set
of different features to dismiss the usefullness of the whole set. That is not
really a logical thing to do. That is no problem, I mean, you don't have to
feel ashamed about not understanding something complicated. You are certainly
not alone, everyone has things he/she does not understand (I know I don't
understand many things).

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html