Hi Paul,
Again, what is it about your personality that makes you incapable
of taking part in an adult discussion of responsible disclosure
issues? Is it that anyone who has a different opinion than yours
is automatically not worth your time? That sounds kind of nazi-like
to me mr. Schmehl.
It's quite saddening to see this list turn into a pack of hungry
saliving fools at even a hint of an exploit for this issue. You
seem to have more of a hardon for the "juarez" than any "kiddie"
I've ever met. Even when trying to debate some of the issues
surrounding the disclosure of such a potentially devastating
exploit all one gets is "yeah, yeah. Now make with the warez".
As far as it being "easy" to exploit. No it isn't. You have to
abuse a lesser issue, a memory leak to be more precise, to get
a heap layout that will allow you to survive the initial memset
without landing in bad memory. Now without going into details
anyone who manages to survive the initial memset should be able
to debug the crash to the point of exploitation. This is managable
on atleast Linux IA32 systems.
Now I'll try and bring my original point forward one last time,
allthough I fear it will just call for more immature commentary
from the likes of Paul Schmehl.
There is no need for anyone to release this exploit. It will change
nothing about the fact that you need to upgrade your daemons. It
will change nothing about the bugdetails already published. There
is no reasoning for it other than "but I want to learn how to do it".
And sorry but that's just not good enough to warrant the mayhem that
will ensue when an exploit like this is released. So if you in
your academic pursuits decide to tackle this problem. By all means
go right ahead. But I think anyone who's discovered the real impact
of this bug will realise that disclosing the exploit to the
general public is highly irresponsible.
Now on a larger scale, I think it's rather foolish to cop an attitude
that assumes anything that doesn't exist in the public eye isn't
possible. It reeks of the same arrogance I'm accused off. Is it
arrogant to step forward to try and explain why noone who managed
to exploit ossh is willing to step forward? Maybe it is.
Fact
remains that exploiting this issue requires creativity beyond
the pre-chewed papers. And that's why you're not seeing the regular
array of mediocre "hackers" producing exploit code. I'd like to
think that anyone who was capable of writing this exploit also
recognises the potential impact of releasing it.
So instead of trying to poke fun at me Paul, why don't you do your
duty as a knight of Full Disclosure and provide the good people
of this list with a definite analysis on the ossh 32k nul heap
munging? (buzzword quota filled).
This is the year 2003. We aren't
the only ones reading these lists people. Do you really want to
be responsible for arming the more hostile elements in the world
with such a tool? I can't stress it enough. Noone should release
this exploit. And to be honoust in this day and age I think anyone
releasing exploits to the general public is losing sight of a
bigger picture that affects us all. Now I'm not talking about
the Nth trivial snosoft local stack overflow "exploit". I'm talking about the apaches, the openssh's and the ms rpc's. Time and time
again it's become apparent that full disclosure simply does not
function. And allthough I realise that there will always be people supporting
full disclosure, I think even with the disclosure of vulnerability
information releasing exploits is something that's not justifiable
in any way.
There is simply no need for exploits, especially not one that would
affect people and nations around the globe. You have to look beyond
your own little egocentric world of friendly exploit dev and "but it's fun",
and take a look at the bigger picture.
So to you Paul, and to the rest of this list. I say once again
if you can't write the exploit. You don't..need.. the exploit.
With regards,
Mitch