RE: Scanners and unpublished vulnerabilities - Full Disclosure

["Deus, Attonbitus" <Thor () HammerofGod com>]

At 04:20 PM 5/28/2002, Marc Maiffret wrote:
>I couldn't agree more. I personally see it as a ploy touting the fact that
>their purchasable product will now and then be able to look for some
>vulnerabilities that other products wont be able to.

Hey Marc- hope all is well...

I have to say that I'm confused... Are you speaking from the perspective of 
the pot or the kettle?  Sorry, I had to ;)   But before you get all pissed 
at me, let me say that the only reason I have considered buying *your* 
product when I can get stuff like URLScan or the comparable 
soon-to-be-available product from JD Glaser for *free* is for this very 
reason you call a "ploy."  For instance, the latest issues with IIS were, 
at the time of your bulletin, protected by your SecureIIS product.  It is 
not a ploy, it is value added.

>I think its irresponsible to try to pawn off a marketing scheme as something
>that will help benefit the security community, or help the process of
>getting vulnerabilities fixed.

Yet you include sample exploit code with your notifications, and you give 
away "free" scanners to check for blank SA passwords.  You are knee-deep in 
it, brudda!

>Giving out details of any nature, before their is a patch, is never the best
>route and should be used as a last resort, not a first.
>
>I also do not agree with the statements about people not being able to
>figure out exact details of the vulnerabilities based on the "VNA"'s.

Don't equate yourself with "people."  You may be able to, but not your 
average Joe.  And certainly not the people who have to use a tool to see if 
they have a blank SA pwd.  But, with that said, let's take the text (from 
memory) of the SQL VNA.  Block TCP 1433 and UDP 1434, and make sure you 
have proper firewall rules in place.  What is the exploit?

> Now sometimes that wont be enough information however when you go
>make a scanning tool that knows how to pinpoint the flaw its only a matter
>of time to reverse engineer that tool to figure out how it identifies the
>flaw and then drill that down further to pinpoint the vulnerability.

I couldn't reverse engineer my toaster, so I would fall back on a simple 
sniff.  But yes, I would then get a leg up on the sploit.  But so 
what?  People who paid for the product, or who had a fink, could get their 
hands on it.  Credit for discovery is not an issue, so it would only be 
those who would write an exploit.  As you well know, if Litchfield has the 
bug, chances are other people have it too.  If the vendor gets off their 
arse, then it is better for me.


> I am not saying I agree with that, but for people like David who have 
are good at
>finding vulnerabilities, it only makes sense to try to figure out how to
>make a living off of that talnet... wrong or right no opinion.

"talnet?"  I think your fingers have been trained ;)


>I do see it
>as being a big problem, and totally unethical, if you start to manipulate
t>he situation into being one of a strong arm style tactic where its "give me
>money, so you stay protected"

You've gone too far here.  NGSSoftware is not attacking people, or 
threatening to if they don't "pay up."  If anything, it is a message to the 
vendors not to sit on a critical security bug for 8 months while they take 
advantage of someone else's good graces.

>.... equating it to store owners having to pay
>off local thugs so they don't go bashing their place up. Not that I am
>saying this is what is happening here.

Then what are you saying?  Why bring up an non-sequitur analogy?

>Once again, I just think this is a
>really poor marketing ploy. But hey its working... were all discussing it,
>as dumb as it all is.

Let's put this in perspective.  You supplied exploit code for the idq 
vulnerability.  All manner of folk blamed you (incorrectly) for Code Red 
for the exact same reasons you are now saying are faulty with the VNA.  You 
have a job because you are a bad-ass!  Your company makes money *strictly* 
due to the fact that you perceive problems with other people's products, 
and provide  solutions from them.  What do you think the customer is paying 
for?  I don't only want protection from 0 day exploits, it is what I 
*expect*!!  I don't need protection from 6 month old bugs- I need 
protection from the people like you and David that are not professional.

And that is what I will get when I buy your products.  If anyone should get 
behind this, I would think it would be you.

Cheers, dude.  See ya at Blackhat.

Tim



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/