I don't particularly agree with the NTBug traq philosophy myself, yet Mr.BrootForce did not originally discover this. I received source on this issue from my friend rain.forest.puppy the day after it was announced. He of course got it from Juan Carlos G. Cuartango, as they were discussing the issue for a couple of days before it's posting. I in turn forwarded the .xls file to cyb0rg/asm a friend of mine in Hackcanada. Who in turn passed it on to BrootForce. So if BrootForce is claiming discovery of this issue, he is sadly mistaken. Or if you are simply assuming that brootforce discovered the issue, then you should perhaps ask questions before assuming. I would like to apologize to RFP for ever passing the file along, even if it was to someone I trusted implicitly. If it wasn't for me passing it on, this wouldn't be an issue. I suppose it also possible that brootforce did actually discover this, and told no-one for months, and also said nothing when it was posted here. That he lied very convincingly to Cyb0rg/asm when they initially discussed the vulnerability, that I had passed on to him. So all told, IMHO brootforce knew nothing in regards to this before he received the .xls file that I had received from RFP. And that the initial discovery still stands as belonging squarely to Juan Carlos G. Cuartango, and Rain Forest Puppy. I would also like to please ask Russ to make this a full disclosure list. My receiving the source on this allowed me to slap together a rough yet affective patch for this vulnerability nearly 2 weeks before MS got around to it. And I am responsible for over 1600 NT machines on a province wide network, that holds extremely sensitive data on the general population of Canada. If I had not got my hands on this, I would have been living in absolute fear for the last couple of weeks. thanks for your time everyone :) Hex_Edit (www.hackcanada.com) >Well it seems some people still believe in security through obscurity. >Three weeks after the vulnerability was announced the people >with the knowledge of the details have not disclosed further >information (hi Russ). > >Now that same people are asking whether the information should >be disclosed at all (and trying to get some nice publicity out >of it). > >Well guess what? An exploit is been around for quite a while now. >We've had an exploit in the SF vulnerability database for some time >now. We refer to this vulnerability as BUGTRAQ-ID 548 >"Microsoft JET ODBC Vulnerability". > >The exploit, originally by BrootFoce, is an Excel file that >starts an FTP session to download a file and launches Regedit >when opened. Please note that for the exploit to work the >file C:\CONFIG.SYS must exists. This is an arbitrary file. >Any other file will do. > >Now without knowing the full details of the vulnerability we >can only guess that this exploit exercises the same >vulnerability. Maybe the people in the known will enlighten us? > >Now what does this teach us? That trying to keep the details >of a vulnerability secret while at the same time announcing >it existence does not work. If you are going to announce a >vulnerability, provide all the details. Otherwise keep the >vulnerability to yourself. > >BUGTRAQ and Security Focus will always be committed to >full disclosure. Your mileage may vary with others. > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:19 PDT