Full Disclosure mailing list archives
Re: CORE-Impact license bypass
From: Valdis.Kletnieks () vt edu
Date: Tue, 27 Sep 2005 17:23:45 -0400
On Tue, 27 Sep 2005 17:53:58 +0200, Bernhard Mueller said:
so what use is a pentest if the consultant isn't even talented enough to find / create exploits for unknown vulnerabilities?
Quite a bit, actually. Consider every pen test ever done by a consultant who wasn't that talented, but who found and reported *actual* security holes in the target network anyhow. Are you saying all those pentests were worthless?
any average admin can install and run an automatic security scanner.
Right. Sometimes, it's just the convenience factor - the fact that I *can* change the oil, spark plugs, and brake pads on a car doesn't mean that I'd *rather* do it myself than pay somebody else $20 to do it for me. Similarly, my servers running Red Hat have software maintenance contracts on them, even though I *could* debug software myself, simply because (a) sometimes it's a trivial bug and I can't be bothered to track it down because I'm busy doing something more interesting that instant or (b) it's a major issue and I don't have the time to get up to speed on all the ins and outs of how a particular RAID controller interacts with a particular kernel driver. And then you get to the place where the consultant can be a value-added:
furthermore, a common nessus report contains 99% useless garbage. and most of the time, you can not apply generic exploits like these from metasploit to a specific customer situation.
The average admin does *not* have the skills/time needed to sort out the 99% useless garbage. And in the network-wide sense, there are often transitivity problems where D has a known-but-difficult-to-fix hole, but is only reachable from C - and nobody realizes that a minor issue on B can let somebody on A leapfrog to C and then hit D. Found a box once that had at one time a 3rd party package, since removed. The package removal had left a line in /etc/hosts.equiv for *one specific host*, also since departed from the DNS. And the box had a packet filter ruleset to only accept DNS from the "real" DNS servers. (You can see where this is heading, right? :) Well, the admin of the box could see it *once it was pointed out to them*. Didn't mean that they had the time to find it themselves.
in my experience, nearly all sites have some serious security flaws even if tools like nessus say the contrary. there may be self-coded applications or software that is not widely known or tested so they're not found in any vulnerability database. or, if that is not the case, you may even find new flaws in well-established software.
Notice that most home-grown apps have issues - and the people who wrote them are usually unqualified to find them, simply because they have a big blind spot because they're too close - "forest for the trees" time. A fresh set of eyes from outside can help a lot here. And note also that "finding a hole" and "be talented enough to create an exploit" are *totally* distinct. I found a rather nasty rootable hole in Sendmail a while back (read the release notes for 8.10.1 and the relevant manpages for the system linker - that gives enough info to figure out what the bug was). Never did create a working exploit for it - I fooled with it for an afternoon and only got as far as proving that if somebody were to spend more than an afternoon on it, they *could* produce a working exploit.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: CORE-Impact license bypass, (continued)
- RE: CORE-Impact license bypass Josh Perrymon (Sep 26)
- Re: CORE-Impact license bypass c0ntex (Sep 26)
- Re: CORE-Impact license bypass Exibar (Sep 26)
- Re: CORE-Impact license bypass c0ntex (Sep 26)
- Re: CORE-Impact license bypass c0ntex (Sep 26)
- RE: CORE-Impact license bypass Josh Perrymon (Sep 26)
- RE: CORE-Impact license bypass Marc Maiffret (Sep 26)
- Re: CORE-Impact license bypass Exibar (Sep 27)
- Re: CORE-Impact license bypass Bernhard Mueller (Sep 27)
- Re: CORE-Impact license bypass Martin Mkrtchian (Sep 27)
- Re: CORE-Impact license bypass c0ntex (Sep 27)
- Re: CORE-Impact license bypass Andrew Simmons (Sep 27)
- Re: CORE-Impact license bypass Valdis . Kletnieks (Sep 27)
- Re: CORE-Impact license bypass Bernhard Mueller (Sep 28)
- Re: CORE-Impact license bypass sk (Sep 28)
- Re: exploit frameworks Dave Aitel (Sep 30)
- Re: CORE-Impact license bypass Exibar (Sep 27)
- Re: CORE-Impact license bypass fd (Sep 27)
- Re: CORE-Impact license bypass c0ntex (Sep 26)