North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: AV/FW Adoption Sudies
On Thu, 10 Jun 2004 13:50:47 PDT, Eric Rescorla said: > I'm asking the question: > If you find some bug in the normal course of your operations > (i.e. nobody told you where to look) how likely is it that > someone else has already found it? > > And you're asking a question more like: > Given that you hear about a bug before its release, how likely > is it that some black hat alredy knows? > > I think that the answer to the first question is probably > "fairly low". I agree that the answer to the second question is > probably "reasonably high". Third case: Exploit in one package identified because of info from a similar exploit against some *other* package.... Back in March 2000, I spotted a rather nasty security bug in Sendmail (fixed in 8.10.1) when running under AIX or SunOS. Since the problem is a documented *feature* of the system linker, a *lot* of software had the problem - and the Sendmail release notes give enough info to make it "game over". At that point, the 3 big things left were (a) writing a general-case exploit (trivial if you use one of the another one of the basic design goals of the AIX linker against itself), (b) creating a shell one-liner to identify vulnerable programs, and (c) running the script from (b). Of the three, (c) was actually the most time-consuming. 3 years later, another package (OpenSSH) hit the same hole: http://www.securityfocus.com/archive/1/320149/2003-04-30/2003-05-06/0 And it was a known issue months before I tripped over it: http://mail.gnome.org/archives/gtk-devel-list/1999-November/msg00047.html I'd be most surprised if black hats did *not* have an exploit for the OpenSSH variant, having been pointed at the issue due to my finding a similar issue in Sendmail..... And there's *plenty* of evidence that when a novel attack is found, you see lots of people posting "So I was bored and decided to see what *else* had the same sort of bug..." (think "buffer overflow" ;) Attachment:
pgp00023.pgp
|