I don't particularly agree with the NTBug traq philosophy myself, yet
Mr.BrootForce did not originally discover this. I received source on this
issue from my friend rain.forest.puppy the day after it was announced. He
of
course got it from Juan Carlos G. Cuartango, as they were discussing the
issue for a couple of days before it's posting. I in turn forwarded the
.xls
file to cyb0rg/asm a friend of mine in Hackcanada. Who in turn passed it
on
to BrootForce. So if BrootForce is claiming discovery of this issue, he is
sadly mistaken. Or if you are simply assuming that brootforce discovered
the
issue, then you should perhaps ask questions before assuming. I would like
to apologize to RFP for ever passing the file along, even if it was to
someone I trusted implicitly. If it wasn't for me passing it on, this
wouldn't be an issue. I suppose it also possible that brootforce did
actually discover this, and told no-one for months, and also said nothing
when it was posted here. That he lied very convincingly to Cyb0rg/asm when
they initially discussed the vulnerability, that I had passed on to him.
So
all told, IMHO brootforce knew nothing in regards to this before he
received
the .xls file that I had received from RFP. And that the initial discovery
still stands as belonging squarely to Juan Carlos G. Cuartango, and Rain
Forest Puppy.
I would also like to please ask Russ to make this a full disclosure list.
My
receiving the source on this allowed me to slap together a rough yet
affective patch for this vulnerability nearly 2 weeks before MS got around
to it. And I am responsible for over 1600 NT machines on a province wide
network, that holds extremely sensitive data on the general population of
Canada. If I had not got my hands on this, I would have been living in
absolute fear for the last couple of weeks.
thanks for your time everyone :)
Hex_Edit (www.hackcanada.com)
>Well it seems some people still believe in security through obscurity.
>Three weeks after the vulnerability was announced the people
>with the knowledge of the details have not disclosed further
>information (hi Russ).
>
>Now that same people are asking whether the information should
>be disclosed at all (and trying to get some nice publicity out
>of it).
>
>Well guess what? An exploit is been around for quite a while now.
>We've had an exploit in the SF vulnerability database for some time
>now. We refer to this vulnerability as BUGTRAQ-ID 548
>"Microsoft JET ODBC Vulnerability".
>
>The exploit, originally by BrootFoce, is an Excel file that
>starts an FTP session to download a file and launches Regedit
>when opened. Please note that for the exploit to work the
>file C:\CONFIG.SYS must exists. This is an arbitrary file.
>Any other file will do.
>
>Now without knowing the full details of the vulnerability we
>can only guess that this exploit exercises the same
>vulnerability. Maybe the people in the known will enlighten us?
>
>Now what does this teach us? That trying to keep the details
>of a vulnerability secret while at the same time announcing
>it existence does not work. If you are going to announce a
>vulnerability, provide all the details. Otherwise keep the
>vulnerability to yourself.
>
>BUGTRAQ and Security Focus will always be committed to
>full disclosure. Your mileage may vary with others.
>
>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:19 PDT