Re: AV/FW Adoption Sudies

[Valdis.Kletnieks () vt edu]

On Thu, 10 Jun 2004 13:50:47 PDT, Eric Rescorla said:

> I'm asking the question:
> If you find some bug in the normal course of your operations
> (i.e. nobody told you where to look) how likely is it that
> someone else has already found it?
>
> And you're asking a question more like:
> Given that you hear about a bug before its release, how likely
> is it that some black hat alredy knows?
>
> I think that the answer to the first question is probably
> "fairly low". I agree that the answer to the second question is
> probably "reasonably high".

Third case:  Exploit in one package identified because of info from a similar
exploit against some *other* package....

Back in March 2000, I spotted a rather nasty security bug in
Sendmail (fixed in 8.10.1) when running under AIX or SunOS.   Since the problem
is a documented *feature* of the system linker, a *lot* of software had the
problem - and the Sendmail release notes give enough info to make it "game
over".  At that point, the 3 big things left were (a) writing a general-case
exploit (trivial if you use one of the another one of the basic design goals of
the AIX linker against itself), (b) creating a shell one-liner to identify
vulnerable programs, and (c) running the script from (b).  Of the three, (c)
was actually the most time-consuming.

3 years later, another package (OpenSSH) hit the same hole:
http://www.securityfocus.com/archive/1/320149/2003-04-30/2003-05-06/0

And it was a known issue months before I tripped over it:
http://mail.gnome.org/archives/gtk-devel-list/1999-November/msg00047.html

I'd be most surprised if black hats did *not* have an exploit for the
OpenSSH variant, having been pointed at the issue due to my finding a
similar issue in Sendmail.....

And there's *plenty* of evidence that when a novel attack is found, you see
lots of people posting "So I was bored and decided to see what *else* had the
same sort of bug..." (think "buffer overflow" ;)

Attachment: _bin
Description: