Hey guys, don't want to cause a stir, but here are some thoughts I have since that SSH issue was dear to me when it came out. On Mon, 2003-10-20 at 05:28, mitch_hurrison@ziplip.com wrote: > What is the added value of anyone > disclosing an exploit to you? Proof that it is indeed exploitable. I personally don't need an exploit, just show me in a discussion where it is exploitable. I still don't believe that the first issue (heap overwritten with 0's) is exploitable other than a DoS. Now the PAM issue probably is, I haven't looked at that. Just so you know where I'm coming from: I get pretty pissed off when unsubstantiated rumors cause a commotion that everyone is jumping on without having done a review or proof of its existence, especially when it's used for feed the FUD mill. For example, if someone spreads a rumor that the latest version of Apache is exploitable with a remote root exploit (not just DoS) in the mime_module, but while reviewing the code it just doesn't seem possible, then that person making those claims better back it up with some data. Doesn't have to be exploit code, but an analysis that convinces others. > A) You know the bug exists. > B) You know it's probably a good idea to patch it. heh... Nothing wrong with that statement. However, the severity of the issue (DoS vs. remote-root) would be helpful in determining if admins should yank the boxes during production, or wait to patch after hours. > But to put your mind at ease. Yes it is exploitable. Will you > get an exploit from me? Hell no. Okay, please show us in discussion where it is exploitable. No need for exploit code to feed the script kiddies, just convince me with an analysis. I still believe that the heap-write-0 issue is not exploitable other than a DoS. If you think it is, please show us how. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part