Full Disclosure mailing list archives
RE: no more public exploits and general PoC gui de lines
From: kquest () toplayer com
Date: Tue, 27 Apr 2004 16:05:13 -0400
Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch (even if there's an exploit that crashes the target)? I don't know what company that was, but I'm glad I'm not working for them... Ignoring DoS exploits is irresponsible... to say the least. kcq -----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Tuesday, April 27, 2004 3:37 PM To: full-disclosure () lists netsys com Cc: kquest () toplayer com; johncybpk () gmx net Subject: RE: [Full-disclosure] no more public exploits and general PoC gui de lines Well, then the hole you get stuck in with that particular situation is systems going unpatched, b/c there is no exploit for the vulnerability. A company I used to work for was that way. Regardless of what security strongly recommended, patches weren't being installed in a timely manner...largely b/c there were no reports of actual exploit code being released. However, a customer insisted that the patches be installed ASAP...the logic used by the sysadmins didn't jive.
Having proof of concept code is always valuable (and the sooner the better), but I question releasing exploits that execute code on the target machine. Having a DoS PoC is enough... The legitimate pentesters will be able to modify the PoC to execute code on the target while, at the same time, the "kiddies" will be stuck with something of little or no use to them. This way everybody is happy. Some of you might say that some "kiddies" will be able to modify the DoS PoC to execute code for their malicious needs. Well, if this is the case, then we are no longer dealing with "kiddies"... If they can do this then they are capable of creating their own exploits...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: no more public exploits and general PoC gui de lines kquest (Apr 27)
- Re: no more public exploits and general PoC gui de lines Jedi/Sector One (Apr 27)
- RE: no more public exploits and general PoC gui de lines Poof (Apr 27)
- Re: no more public exploits and general PoC gui de lines James Riden (Apr 27)
- Re: no more public exploits and general PoC gui de lines VeNoMouS (Apr 27)
- RE: no more public exploits and general PoC gui de lines Poof (Apr 27)
- Re: no more public exploits and general PoC gui de lines Eric LeBlanc (Apr 28)
- Re: no more public exploits and general PoC gui de lines Valdis . Kletnieks (Apr 28)
- Re: no more public exploits and general PoC gui de lines Eric LeBlanc (Apr 28)
- Re: no more public exploits and general PoC gui de lines Jedi/Sector One (Apr 27)