Re: how often do 0-days REALLY happen?

From: Ryan Russell (ryanat_private)
Date: Tue Jan 08 2002 - 16:43:21 PST

  • Next message: Michal Zalewski: "Re: how often do 0-days REALLY happen?"

    On Tue, 8 Jan 2002, leon wrote:
    > I have been reading this list for a couple of years now and I just
    > got done reading hacker's challenge.  Great book (hi to everyone who
    > contributed and reads this list, I know David D is one of them).  The
    > book is quite unique in how it goes about presenting itself.
    > Basically it is 20 challenges (here is what happened, here are the
    > logs, and here are some questions).  At the end of the book are the
    > solutions (how a security professional figured out xy and most
    > importantly z).
    
    I'm up to about chapter 9.  Very interesting book, and probably of
    interest to the readers of this list.
    
    > months.  So I ask upon you incidents list (ye who have SO MUCH more
    > experience then I) do systems being compromised by zero day exploits
    > really happen (I am sure they happen but I am really curious as to
    > the frequency and how a professional goes about dealing with a never
    > seen before exploit.)
    
    As you stated, the vast majority of attacks out there are for older
    vulnerabilities.  I can give a few anecdotal examples of 0-day.  (In most
    cases, it's an unknown exploit, not an unknown vulnerability.)
    
    - The snmpXdmid exploit.  Search the Incidents archives for "Carko".
    Someone found a binary exploit for the snmpXdmid Solaris hole on a
    compromised machine.  We analyzed the binary.  As part of the
    investigative work, I found evidence for at least 4, and possibly 5,
    unpublished snmpXdmid exploits in the wild.  Unpublished means they didn't
    appear on the usual mailing lists, no on public websites.
    
    - The .htr worm.  The guys at eEye were given a copy of a worm that
    exploited the .htr IIS hole.  This was supposedly before the hole was
    known publically (true 0-day?) and is supposed to have been a precursor to
    CodeRed (shows some similarities.)  Don't know why the worm wasn't more
    "successful".
    
    - There have been several "leaked" exploits, which have been discussed
    here and on Bugtraq.  hese include a TESO telnet exploit, and one or two
    SSH CRC32 exploits.
    
    And of course, before Bugtraq was prevelant, all exploits that made it
    around were "private", stolen, etc...
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 21:41:56 PST