Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anonymized posting.

From: Dave Aitel <dave () immunitysec com>
Date: Sun, 23 May 2004 18:23:55 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Personally, I think it's weird how K-otik (the french exploit
repository) removed the headers from these codes. I'm not sure what
the bizarre motivation on that is.

Deb Hale posted this:
http://isc.sans.org/diary.php?date=2004-05-21

"""
*alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap
overflow attempt (target Linux)"; flow:to_server,established;
content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|";
offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst,
count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;)
"""

I typically find the SANS diary to only occasionally halfway
understand what they're talking about. I think it's funny they call
themselves handlers instead of "people without computer science
degrees or any knowledge of computer security trying desperately to
learn how to read shellcode and informing a legion of other people
about vulnerabilities, worms, and exploits a. la. the blind and deaf
leading the blind". I guess that was too long to put before "On Duty"
in their signatures.

**
As an example, here's her header:
Follow-up to May 19th Handlers Diary: *The cvs exploit published
yesterday has seen used multiple times. PATCH NOW!. The cvs main
homepage (cvshome.org) appears to be down. However, you should still
be able to obtain patches from mirrors.**

That seems silly. What we have here is a potential (aka nearly
certain) corruption of every open source source tree. CVS itself being
vulnerable is about .00001 of the problem. Warning about the CVS
exploit being used now is like sitting around in Pompei after Vesuvius
warning about a heavy pollen day.

And, as various customers can tell you, those SNORT rules won't detect
CANVAS.

Dave Aitel
Immunity, Inc.

Someone wrote:
(Anonymized Posting)

| http://packetstormsecurity.org/0405-exploits/cvs_solaris_HEAP.c
| http://packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c
|
|
| cvshome.org is still offline, and automated exploits are publically
|  available.  Patches do very little good when the vendor cannot
| keep the distribution point online.
|
| These obviously were not written post-publication of CAN-2004-0396.
|  They were infact written prior to the publication of
| CAN-2003-0015. Makes you wonder what good the publication of either
| bug has done.
|
| If security is a race condition, the good guys have just taken a
| beating.
|
| Whoever they are.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAsSR6zOrqAtg8JS8RAiyGAKDf7gAeaeMTPABL9Lf6NB8tHf+ReQCg3cva
V+IjJpScVIiz1mpZqsvU7Q8=
=M11T
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: