hello, There has been a bit of speculation regarding similar concerns in the past, and I thought I might chime in with a bit of subjective commentary. I think anyone that is even remotely knowledgable has pondered this issue once or twice. I (personally) was quite interested in issues similar to that which you stated, specifically with ICMP and the linux kernel. I delved into it a bit, but soon realized that much of it was beyond my coding skill. I am fairly confident (not only) that there are weaknesses in the Nework layers of open source kernels, but also that there are individuals who have found ways to exploit such weaknesses. I would speculate that whomever has found a method to exploit such a vulnerability, is far removed from the "Information Security" community and its pond scum (kiddies, sec mailing lists, etc :-). Please also consider the possibility that vulnerabilities in Open Source kernels don't necessarily have to be inherent in the contributing developers code. Distro sites, CVS's, all are VERY accessible. Honestly, when was the last time you scrutinized the pgp'd checksums of some software you were grabbing from your favorite distribution site!? It seems that many people in the Security community take a "system-centric" approach to security. People tend to focus on the system specific facets by searching for "magic bullets" and following stringent guidlines. This technology is NOT formulaic. By its very nature, its amorphous, and as such, stringent and formulatic security policies are ineffective. In response to your assumption about the reality of such an exploit, I would suggest that you not be so quick to assume that because nothing has popped up on a vuln-dev-type mailing list, or that because the kiddies arent trading it, it doesnt exist. I suggest "Linked" by Albert-Laszlo Barabasi. I am finding you can sometimes learn more from an unlikely source than by going "straight to the horse's mouth", we just gotta keep our eyes open. On Sun, 8 Sep 2002 andy_mnat_private wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hey > > I've been hearing about this for the past year, but always shrugged > it off as fun-and-games at best or FUD at worst. A few days ago, though, > I posed the question to a friend who has been a very reliable source > in the past concerning exploit rumors and security gossip (among > many other things, he was able to give me two week's warning about > the Apache chunked encoding hole). He said in no uncertain terms > that although he has no substantial information concerning the flaws, > the Linux kernel, FreeBSD/OpenBSD kernel, and possibly other kernels > contain remote vulnerabilities that were discovered independently by > both a Bindview employee and/or an individual using the nickname ~el8. > > The bugs are said to have something to do with integer manipulation in > the kernels' TCP/IP stacks. That's all he was able to offer me, but was > very forward in saying that he has full confidence based on > conversations with others that these bugs do indeed exist. > > Now, there's always the chance I'll be wrong, but unless someone wishes > to comment on the technical plausibility of these vulnerabilities, I > have several second-rate reasons as to why I believe these rumours > are most likely just figments of the imagination: > > - - I have not seen any incident reports on Incidents, or any other > mailing list for that matter. > > - - You'd think several high profile sites would've been attacked already > with such devastating exploits, but I've seen no reports of this. In > fact, if the kids really did have such an exploit, you'd think they'd > tag their h4ndl3z all over high profile sites. But according to Alldas, > high profile defacements have been virtually nonexistent in the last > year or so. > > - - Given the skill required to craft such an exploit, I'd think it > would be way out of the grasp of the kids. Since no researcher has > come forth with such a vulnerability, it's logical to conclude that > this does not exist. > > > Anyway, I'm very interested in hearing what others have to offer > concerning these rumors. Even if it's for reassurance ;> > > - -- Andy > > > > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wlwEARECABwFAj17ObAVHGFuZHlfbW5AaHVzaG1haWwuY29tAAoJEDRxILB1JtUKPLoA > n1do1g9fG+QCaKe5+dFeMu9Rw5KNAKCOLV2ToVpNRmmH2V2t1sdBsZi6ew== > =h3o0 > -----END PGP SIGNATURE----- > > > > > Get your free encrypted email at https://www.hushmail.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 08:52:26 PDT