[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] xp sp3 remote bof

To: elfius <elfius@xxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] xp sp3 remote bof
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Sat, 18 Jun 2011 17:57:23 +0000

Meh.  It's not worth hen shit on a pump handle without some details.   Your 
claim of "quite a few offers" doesn't really make much sense either.  You 
initially claim that you're new here, and to the scene in general, and that you 
need MSFT's security alias.  But even as a noob, you claim to have a remote 
exploit that you won't give any details on.  Do you actually believe that 
legitimate offers will come pouring in based on this claim?  Giving details 
would be trivial and can be accomplished without giving away any precious 
secrets.   An example would be "I have a POC that exploits a vulnerability in 
the XP SP3 firewall in its default configuration giving an attacker remote, 
unauthenticated system access."

The value of the list is in the vetting.   More likely than not, given the way 
you've approached this, you have probably come across something you *think* is 
a vulnerability that has some dependency on something like "if you get the 
administrator to run code that turns off the firewall first, it is possible to 
get them to click this link on a remote SMB share that might trigger a bof, 
which might be exploitable."

You were obviously aware of the concept of responsible disclosure, or you 
wouldn't have posted asking for Microsoft's security alias (which in itself 
tells us you can't use The Google).  You then, on the Full Disclosure list, 
tell everyone how you would rather keep it to make money and not share any 
details.   I think you meant to find the "Bull Disclosure" list instead.

t

From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of elfius
Sent: Friday, June 17, 2011 3:22 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] xp sp3 remote bof

Thanks for the advice guys. I've received quite a few interesting offers from 
some rather shady sounding people (as well as public messages here), and I've 
begun to realise how much this is worth. So for the time being anyway I think 
I'll keep it for a rainy day. Cheers again for the input.

ciao,
chown
On Fri, Jun 17, 2011 at 6:24 AM, phil <jabea@xxxxxxxxx<mailto:jabea@xxxxxxxxx>> 
wrote:
I suggest ZDI too, or like Thor told 
secure@xxxxxxxxxxxxx<mailto:secure@xxxxxxxxxxxxx>.

If you got a real PoC then the guys at Microsoft will listen and will 
acknowledge you fast...   but if your PoC is not ok, and it just show a small 
bug, or if you want to remain anonymous then ZDI is the way to go IMO or you 
will end up waiting for an answer from MS for month before to discover that it 
has been patched without any thanks or acknowledgement.

Nb, You can email cert 
(cert@xxxxxxxx/soc@xxxxxxxxxxx<mailto:cert@xxxxxxxx/soc@xxxxxxxxxxx>) too , but 
you will have no income for that report and they will email MS in the end.


In either case, if MS don't answer you in a timely manner, FD will still be 
there to disclose the PoC.


De : 
full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]
 De la part de elfius
Envoyé : 16 juin 2011 14:50
À : full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
Objet : [Full-disclosure] xp sp3 remote bof

Hi guys,

I'm pretty new in these parts, and to the scene in general, but I've been doing 
low level dev for a while. Anyway introductions aside, I have a somewhat stable 
remote bof poc for xp sp3 (which I'm not going to go into detail about), and 
I've signed up to this list to ask the security community what I should do. I 
figured I can't just email Microsoft from my personal email address, and I 
wouldn't even know who to email at Microsoft. So I'm open to the advice of 
those a bit more experienced.
ciao,
chown
________________________________

Aucun virus trouvé dans ce message.
Analyse effectuée par AVG - www.avg.fr<http://www.avg.fr>
Version: 10.0.1382 / Base de données virale: 1513/3708 - Date: 16/06/2011

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] xp sp3 remote bof
  - From: elfius
- Re: [Full-disclosure] xp sp3 remote bof
  - From: elfius

Prev by Date: [Full-disclosure] The SIV mode of operation result in data leakage with small messages (<= blocksize) when the authentication part of the key is discovered and how to get data from CMAC
Next by Date: Re: [Full-disclosure] thetech.com - worlds first online newspaper
Previous by thread: Re: [Full-disclosure] xp sp3 remote bof
Next by thread: Re: [Full-disclosure] xp sp3 remote bof
Index(es):
- Date
- Thread