[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] No Subject
- Subject: RE: [Full-Disclosure] No Subject
- From: "Schmehl, Paul L" <pauls@utdallas.edu>
- Date: Mon, 20 Oct 2003 17:08:34 -0500
> -----Original Message-----
> From: mitch_hurrison@ziplip.com [mailto:mitch_hurrison@ziplip.com]
> Sent: Monday, October 20, 2003 3:44 PM
> To: frank@knobbe.us
> Cc: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] No Subject
>
> I think you misinterpreted my argumentation. In my eyes
> anyone who is not independently capable of verifying
> the exploitability, or atleast devising the theory
> behind possible exploitation, of the ossh nul overflow
> is a "script kiddie". As you so aptly put it.
>
So there's the 1% l33ts like you, and then there's the 99% of the human
populace that has other things to do besides squirrel around with code.
I get it.
> Now if you're somewhat at home in heap mismanagement bugs
> you should know that this issue, provided you have a
> favourable heap layout (hooray for memory leaks),
> is exploitable on atleast
> Linux. That's as far as I'll go. Remember apache? One
> man's DoS is another man's remote. For god's sake even
> ISS believes the issue to be exploitable. And Duke may
> be alot of things, stupid he is not. (ok so maybe that's
> up for debate, hi Mark!) As far as the PAM issue goes,
> that's fucking trivial.
I learned in high school (which was a long long time ago) that there are
those that say they can do something, and then there are those who don't
say anything but do a lot. You appear to fall into the first category
based on your ramblings.
>
> Now at the end of the day it's neither my duty nor my desire
> to release anything. I don't owe you shit. And I'm not about
> to post something that took alot of research just to make a
> moot point. Any admin who did not patch their servers using
> "oh it's just a DoS" as justification should be fired on the
> spot. Again, and this is getting tiresome, a bug was
> recognised to be a security issue. Security issues get a
> priority to patch. It'd be a different story if it wasn't
> published as being a security issue.
>
Once again, another clueless code monkey who "admins" a network of one.
I'm not impressed.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html