Re: Scanners and unpublished vulnerabilities - Full Disclosure

[hellNbak <hellnbak () nmrc org>]

On Wed, 29 May 2002, Jon Bull wrote:

> 1)  Unless the consultants liscence is very carefully distributed, unethical
> people will purchase Typhoon II can be furnished with near-zero-day
> exploits.  These are exploits that the public will be unable to guard
> against until a patch is released.  I believe that eventually Typhoon II
> will be used by unethical people to this end, and that it is impossible to
> guard against this eventuality as long as the consultants liscense exists.
> (This point may be invalid if the consultant must go through NGSS who would
> verify permission with the site to be tested.  I doubt this is the case, but
> it would speak well of NGSS if this is the manner in which the consultants
> lisence is handled.)

Not only that, but it has been proven time and time again that anyone can
get pretty much any software package they want including cracks and/or
licenses.  What is to stop a malicious person, or even another security
vendor from reverse engineering the "zero-day check" in order to discover
the exploit.  This can be addressed by not checking for the issue itself
but checking for o/s and patch level but anyone with any experiance with
vulnerability scanners knows that this is prone to generate false
positives and create much user annoyance.

> 2) Once an exploit is added to the list of checks on Typhoon II and an
> administrator or consultant determines his system to be vulnerable, he must
> still wait for a patch.

Not really, if it is a specific service or configuration a work around
could probably be created or ports can be filtered.

> 3) The recent JRun advisory, I feel, gives up too much information.  I'm
> sure as I type this someone is working to figure the length of the host
> header field needed to achieve the overflow.

I disagree - I think the Jrun advisory was fine and if anything could have
been more complete.  Sure people are working on finding the exploit but
simply saying "there is an overflow possible in Jrun via host headers" is
enough to get people to start to poke and prod, at least it is for me.

> Suggestion - Instead of making a scanner to test for a vulnerability that a
> Typhoon user may not be able to prevent, why not create IDS software to
> detect the exploit?  To me this seems a more defensive,  responsible, and
> effective role.

Again, you expose the vulnerability in your signature.  Assuming that not
all employees are completely trustworthy this is a danger.

My $.02 on this issue - I applaud David's efforts to force vendors to be
more responsive.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/