<<< Date Index >>>     <<< Thread Index >>>

Re: What is the point here?



On Sun, 18 Jan 2004, Alun Jones wrote:

> I've been meaning to say something about this for some considerable time
> now, on various exploits and "proofs of concept" that have been posted to
> this list.
>
> Fine, I get the idea of posting a sample exploit, or a POC, as a means to
> spurring on developers (and administrators) to fix and patch systems against
> attack.  But really, unless there's a 'fix' that turns out not to be a fix,
> what is the point of posting a "second version" of a sample exploit or POC?
> [Maybe there's a good example in this case, but the poster never mentioned
> what the change was from the standpoint of getting the hole fixed]
>
> What is the point of cleaning up a sample exploit?  What is the point of
> posting more and "better" POCs?  What is the point of admitting such to this
> list?  I know it's a moderated list, because I've seen my own share of
> rejected messages, so I'm going to ask what the point is of the moderation?
>
> We've seen several POCs posted to this list with absolutely no attempt made
> to contact the developers, and we've seen people take other POCs and "fix
> them", so that they install a remote shell without alerting the
> administrators of the machine.  Why?
>
> If full disclosure in the name of protecting systems is what we're about,
> then we need to be contacting vendors of systems we breech, and we need to
> be posting code that goes only as far as is necessary to demonstrate the
> breech - _not_ far enough to be the source for the next root kit.
>
(...blah blah...)

If you make a BT a list that filters out the exploits there will appear a
lot other lists or distributions channels that spread exploits/PoC (no
matter what they are).
The result is: Admins reading BT will think that the BUG just mentioned
is hardly, or not exploitable as they seen no exploit, while the exploit
is distributed among blackhats.

It's been discussed here many, maaaaaany times. We don't see a need to
quote it again.

Rgrds,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners