Complicated Disclosure Scenario

From: Josha Bronson (dmuzat_private)
Date: Wed Jan 16 2002 - 19:01:24 PST

Next message: terry white: "Re: Complicated Disclosure Scenario"

Previous message: s1gnal_9 : "Re: efax"
Next in thread: terry white: "Re: Complicated Disclosure Scenario"
Reply: terry white: "Re: Complicated Disclosure Scenario"
Reply: NP-GEE-CLOUGH AARON: "RE: Complicated Disclosure Scenario"
Reply: Giurgiu Sergiu: "Re: Complicated Disclosure Scenario"
Reply: Ryan Permeh: "Re: Complicated Disclosure Scenario"
Reply: David Carroll: "Re: Complicated Disclosure Scenario"
Reply: Nick Lange: "Re: Complicated Disclosure Scenario"
Reply: Bill Weiss: "Re: Complicated Disclosure Scenario"
Reply: Florian Weimer: "Re: Complicated Disclosure Scenario"
Reply: Mariusz Mazur: "Re: Complicated Disclosure Scenario"
Reply: Martin.Farrellyat_private: "FW: Complicated Disclosure Scenario"
Reply: Dan: "Re: Complicated Disclosure Scenario"
Reply: Everhart, Glenn (FUSA): "RE: Complicated Disclosure Scenario"
Reply: Dom De Vitto: "RE: Complicated Disclosure Scenario"
Reply: Nathan Anderson: "RE: Complicated Disclosure Scenario"
Reply: Parity: "RE: Complicated Disclosure Scenario"
Reply: Josha Bronson: "Re: Complicated Disclosure Scenario (Summary)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings fellow security folk,

I would like to gather some opinions on a not so theoretical disclosure
scenario. Please for the sake of focused discussion keep your replies
related to the specific scenario that I am proposing and not alternate
opinions on disclosure in general.

The situation is thus. I have discovered a bug in a major software
vendors application. Initially the bug presented itself as a way to
crash the application, i.e. a DoS condition. Upon further research I
determined that I was able to overwrite some return addresses by
formating the overflow in a specific way. As we all know this means that
there is the possibility that this could allow code to be executed on
the remote system.

At this point I contacted the vendor to alert them to the existence of
this problem. After exchanging multiple emails, in which I tediously
outlined the DoS condition and *potential* exploit situation I was told
that they would wait until I determined if code could be exploited
before they began creating an advisory or even working on a patch. 

I informed this vendor, who is by no means short on resources, that I
might not be able to successfully make that determination due to
constraints on my time (after all I do this for fun) and ability, as
this problem exists on an architecture that I have very little
experience with. 

I encouraged the vendor to begin their own investigation. They ignored
this, and again stated that they would await my results.

This is the problem as it sits. If I reach out to "the community" for
additional assistance with researching this bug I might as well just send
out an advisory. If I release an advisory the vendor will most likely
not have a patch ready, they will feel violated and the user base will
be left open to exploitation with no fix. If I do nothing, the problem
persists and nothing gets accomplished, and maybe someone with not so
good intentions discovers the same bug and uses it to do harm.

So, what would you do?

-- 
Josha Bronson
dmuzat_private
AngryPacket Security

Next message: terry white: "Re: Complicated Disclosure Scenario"
Previous message: s1gnal_9 : "Re: efax"
Next in thread: terry white: "Re: Complicated Disclosure Scenario"
Reply: terry white: "Re: Complicated Disclosure Scenario"
Reply: NP-GEE-CLOUGH AARON: "RE: Complicated Disclosure Scenario"
Reply: Giurgiu Sergiu: "Re: Complicated Disclosure Scenario"
Reply: Ryan Permeh: "Re: Complicated Disclosure Scenario"
Reply: David Carroll: "Re: Complicated Disclosure Scenario"
Reply: Nick Lange: "Re: Complicated Disclosure Scenario"
Reply: Bill Weiss: "Re: Complicated Disclosure Scenario"
Reply: Florian Weimer: "Re: Complicated Disclosure Scenario"
Reply: Mariusz Mazur: "Re: Complicated Disclosure Scenario"
Reply: Martin.Farrellyat_private: "FW: Complicated Disclosure Scenario"
Reply: Dan: "Re: Complicated Disclosure Scenario"
Reply: Everhart, Glenn (FUSA): "RE: Complicated Disclosure Scenario"
Reply: Dom De Vitto: "RE: Complicated Disclosure Scenario"
Reply: Nathan Anderson: "RE: Complicated Disclosure Scenario"
Reply: Parity: "RE: Complicated Disclosure Scenario"
Reply: Josha Bronson: "Re: Complicated Disclosure Scenario (Summary)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 02:40:22 PST