RE: no more public exploits and general PoC gui de lines

[kquest () toplayer com]

Are you saying that unless there's an exploit
that gives you access to the target machine
your company wouldn't patch (even if there's
an exploit that crashes the target)? 

I don't know what company that was, but I'm
glad I'm not working for them... Ignoring DoS
exploits is irresponsible... to say the least.

kcq

-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com]
Sent: Tuesday, April 27, 2004 3:37 PM
To: full-disclosure () lists netsys com
Cc: kquest () toplayer com; johncybpk () gmx net
Subject: RE: [Full-disclosure] no more public exploits and general PoC
gui de lines


Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.

A company I used to work for was that way.  Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
 However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.

> Having proof of concept code is always valuable 
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of 
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits... 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html