Re: how often do 0-days REALLY happen?

From: Ryan Russell (ryanat_private)
Date: Tue Jan 08 2002 - 16:43:21 PST

Next message: Michal Zalewski: "Re: how often do 0-days REALLY happen?"

Previous message: Greg Francis: "Re: how often do 0-days REALLY happen?"
In reply to: leon: "how often do 0-days REALLY happen?"
Next in thread: Michal Zalewski: "Re: how often do 0-days REALLY happen?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 8 Jan 2002, leon wrote:
> I have been reading this list for a couple of years now and I just
> got done reading hacker's challenge.  Great book (hi to everyone who
> contributed and reads this list, I know David D is one of them).  The
> book is quite unique in how it goes about presenting itself.
> Basically it is 20 challenges (here is what happened, here are the
> logs, and here are some questions).  At the end of the book are the
> solutions (how a security professional figured out xy and most
> importantly z).

I'm up to about chapter 9.  Very interesting book, and probably of
interest to the readers of this list.

> months.  So I ask upon you incidents list (ye who have SO MUCH more
> experience then I) do systems being compromised by zero day exploits
> really happen (I am sure they happen but I am really curious as to
> the frequency and how a professional goes about dealing with a never
> seen before exploit.)

As you stated, the vast majority of attacks out there are for older
vulnerabilities.  I can give a few anecdotal examples of 0-day.  (In most
cases, it's an unknown exploit, not an unknown vulnerability.)

- The snmpXdmid exploit.  Search the Incidents archives for "Carko".
Someone found a binary exploit for the snmpXdmid Solaris hole on a
compromised machine.  We analyzed the binary.  As part of the
investigative work, I found evidence for at least 4, and possibly 5,
unpublished snmpXdmid exploits in the wild.  Unpublished means they didn't
appear on the usual mailing lists, no on public websites.

- The .htr worm.  The guys at eEye were given a copy of a worm that
exploited the .htr IIS hole.  This was supposedly before the hole was
known publically (true 0-day?) and is supposed to have been a precursor to
CodeRed (shows some similarities.)  Don't know why the worm wasn't more
"successful".

- There have been several "leaked" exploits, which have been discussed
here and on Bugtraq.  hese include a TESO telnet exploit, and one or two
SSH CRC32 exploits.

And of course, before Bugtraq was prevelant, all exploits that made it
around were "private", stolen, etc...

					Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Michal Zalewski: "Re: how often do 0-days REALLY happen?"
Previous message: Greg Francis: "Re: how often do 0-days REALLY happen?"
In reply to: leon: "how often do 0-days REALLY happen?"
Next in thread: Michal Zalewski: "Re: how often do 0-days REALLY happen?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 21:41:56 PST