Vulnerability Development mailing list archives

Complicated Disclosure Scenario

From: Josha Bronson <dmuz () slartibartfast angrypacket com>
Date: Wed, 16 Jan 2002 19:01:24 -0800

Greetings fellow security folk,

I would like to gather some opinions on a not so theoretical disclosure
scenario. Please for the sake of focused discussion keep your replies
related to the specific scenario that I am proposing and not alternate
opinions on disclosure in general.

The situation is thus. I have discovered a bug in a major software
vendors application. Initially the bug presented itself as a way to
crash the application, i.e. a DoS condition. Upon further research I
determined that I was able to overwrite some return addresses by
formating the overflow in a specific way. As we all know this means that
there is the possibility that this could allow code to be executed on
the remote system.

At this point I contacted the vendor to alert them to the existence of
this problem. After exchanging multiple emails, in which I tediously
outlined the DoS condition and *potential* exploit situation I was told
that they would wait until I determined if code could be exploited
before they began creating an advisory or even working on a patch. 

I informed this vendor, who is by no means short on resources, that I
might not be able to successfully make that determination due to
constraints on my time (after all I do this for fun) and ability, as
this problem exists on an architecture that I have very little
experience with. 

I encouraged the vendor to begin their own investigation. They ignored
this, and again stated that they would await my results.

This is the problem as it sits. If I reach out to "the community" for
additional assistance with researching this bug I might as well just send
out an advisory. If I release an advisory the vendor will most likely
not have a patch ready, they will feel violated and the user base will
be left open to exploitation with no fix. If I do nothing, the problem
persists and nothing gets accomplished, and maybe someone with not so
good intentions discovers the same bug and uses it to do harm.

So, what would you do?

-- 
Josha Bronson
dmuz () angrypacket com
AngryPacket Security

Current thread:

Complicated Disclosure Scenario Josha Bronson (Jan 17)
- Re: Complicated Disclosure Scenario terry white (Jan 17)
- RE: Complicated Disclosure Scenario Nathan Anderson (Jan 17)
- Re: Complicated Disclosure Scenario KF (Jan 17)
- Re: Complicated Disclosure Scenario Giurgiu Sergiu (Jan 17)
- Re: Complicated Disclosure Scenario Ryan Permeh (Jan 17)
- Re: Complicated Disclosure Scenario David Carroll (Jan 17)
- Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Bill Weiss (Jan 17)
- Re: Complicated Disclosure Scenario Florian Weimer (Jan 17)
  - Re: Complicated Disclosure Scenario Nick Lange (Jan 17)

(Thread continues...)