$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

IIS and Exchange

Easy money....easy money.

Re:IIS and Exchange

[ISwearNotmyPorn]

If you want to talk easy money think Sendmail.

Re:IIS and Exchange

[grub]

The article says Sendmail has had only 4 remote holes since 2003... Why not lead by example and dig up a fresh one?

Re:IIS and Exchange

[morgan_greywolf]

Ummmm, try BIND.

BTW -- TFA says that IIS 6 hasn't had a single public remotely-exploitable hole. That means essentially nothing to me, because most serious 'hackers' aren't using public exploits.

Re:IIS and Exchange

[ISwearNotmyPorn]

I'm surprised the article states the '2003' date because it seems I'm always reading up on a new sendmail exploit in Linux Journal. This is one that apparently got much attention. http://www.internetnews.com/security/article.php/3 593546 I don't doubt the article necessarily but I find it odd that exploits like the one I'm linking to are not considered critical enough to be included in the 2003 assesment.

Re:IIS and Exchange

[icepick72]

Yes because we all know the public exploits just sitting out there are totally ignored by hackers in favour of the um non-public ones. Ummmm .... so ..... IIS must therefore be insecure because surely we can't say anything good about it here. I mean it's a piece of shit because we can hypothesize unstated scenarios about it.
I think it does means a lot to many people when a piece of software has never had a publicly exploitable hole.

Re:IIS and Exchange

i would imagine because it isn't a remote exploit to execute arbitrary code?

Re:IIS and Exchange

[morgan_greywolf]

By 'serious hackers' I mean the ones who are truly dangerous because they know what they're doing, unlike 31337 skR1p7 k1dd13z and your run-of-the-mill botnet creator looking for nothing more than a big spam relay. Those who actually know what they're doing won't use publicly-announced holes because that would allow them to be caught more easily.

Put the fanboi attitude away and think about logically and you'll know what I'm talking about. This applies to all applications and operating systems, not just IIS or Microsoft's products.

Re:IIS and Exchange

Why even mess with Sendmail? I switched to Postfix years ago when Sendmail fell flat on its face under load; Postfix with its more secure design on the same box runs 8 times the load that crushed Sendmail without breaking a sweat. The strength of Sendmail's odd format handling has been trivialized these days of near universal SMTP

BIND & Apache are still relevant, but Sendmail, no.

Re:IIS and Exchange

[icepick72]

Those who actually know what they're doing won't use publicly-announced holes

In this case there were no publicly-announced holes. Now your argument has veered off into left field for a last chance save. No dice. You even tried to pull out the fanboy argument which always evidences a final crash and burn when used out of context.

Re:IIS and Exchange

Price of finding the $16,000 exploit:

$200 worth of your of Mountain Dew or Coffee for you and your team
$100 for each of those retards becasue they never bothered asking if your getting paid
5 days without any sleep
$1 for a stack of cd's
35c for each call to each of your 10 contacts
$10 shipping and handling

$514.50 spent for returns totaling more than $50k for each contact
PRICELESS

Oh yeah, don't forget to turn in the exploit and collect Verisign's $16k too

Re:IIS and Exchange

Ummmm, no. Non-public exploits become public when they are used for anything non-trivial. Forensic analysis turns them up. This is what security researchers are talking about when they mention that an exploit was found "in the wild".

start here!

[wwmedia]

start here http://secunia.com/product/73/?task=advisories

Re:start here!

[Timesprout]

or here http://microsoft.com/clearcase/repositories/IIS6/s table/src.
Username bill
Password gates

Re:start here!

[wwmedia]

looks like i hit a nerve

Re:start here!

Or how about these guys, they already have three exploits for MS products.

http://research.eeye.com/html/advisories/upcoming/ index.html

How does it feel to know that eEye and MS have had remote access to all of your machines constantly for years?

$16,000

arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

Re:$16,000

[Mr.+Underbridge]

arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

Not only that, but I'm assuming that claiming the prize and the advertising that goes with it - advertising your skills, that is - is the more valuable part. I'm imagining that the type of person who could claim the prize is interested in doing this sort of thing anyway. The prize would be a nice cash reward and a fantastic thing to put on a resume.

Re:$16,000

Indeed, $16K is exactly 2.5 times the annual salary I used to make when I worked as a software engineer in Egypt.

Re:$16,000

[operagost]

For someone a little more eastbound, that's a nice chunk of change.

Bullcrap. I live in Pennsylvania and that's still chump change!

Re:$16,000

you'd just give the $16K to your church. Loser.

Re:$16,000

[DaveWick79]

Apparently some new accounting guy fresh out of college found a $16K budget surplus, and another new IT guy fresh out of college came up with a use for it.

Re:$16,000

[XenoPhage]

Bullcrap. I live in Pennsylvania and that's still chump change!

Must be nice.. I live in Pa and I'd love to have a extra $16k ...

Re:$16,000

[demachina]

$16K IS chump change compared to what you could make exploiting a flaw in this critical infrastructure or selling it to people who would. Of course maybe you would prefer the $16K over the much higher return and a potential criminal record.

Re:$16,000

[networkBoy]

Well I have one exploit for each platform.
It is remote, and it is foolproof.
I want the money.
-nB

The exploit is to take the admins family hostage, demanding whatever code you want to be run in exchange for the family's safety.
Since you are using a phone to control the admin it is a remote exploit.
Have a nice day.

Re:$16,000

[dwarfsoft]

Well its either that, or they are giving out free Motor Boats, er, $16,000 at the nearest police station...

Re:$16,000

[Nevyn]

In my opinion the problem isn't really that it doesn't pay for someone to do the work to find the exploit that's there, it's that it's not enough to be painful if there is one there.

For instance if I put a "security exploit bounty" on my code of $1 (probably less than I pay for donuts weekly) ... how secure does that say the code is? Now if I put the same bounty on it of $2,000 (yes I'm not amazingly rich, so that's a very painful amount), this is a very different equation.

It's the difference between saying "I'm very confident that X is true" and saying "Meh, who knows ... I'll give you a buck if it isn't".

Re:$16,000

[etnu]

Eh, $16k could be about a year's salary in some countries, but you could also spend 2-3 years before you found anything in the first place. A good programmer can easily pull down $25-30k in India. If he can find a flaw in his free time or can do it in less than 6 months, it might be worthwhile, but in general he's better off just getting an ordinary job.

hMMM

[multipartmixed]

Does it count if we "find" a "hole" in the current CVS snapshot?

$16,000?

[FutureDomain]

*begins digging through code*

No, but...

[TheSHAD0W]

It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.

Re:No, but...

[Darlantan]

Also, you may be able to collect multiple bounties from different organizations for the same hole.

Yeah, but pimpin' ain't easy.

Meanwhile, the Russian Mafia offers you...

[monkeyboythom]

Triple that amount of cash. Or more. Or your life. Or, the well being of those you love.

You get the point.

Re:Meanwhile, the Russian Mafia offers you...

Is that how you hack systems? By putting space characters where they don't belong?

IIS 6

IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

How can that be? IIS is crap! Slashdot tells me so!

Re:IIS 6

[eln]

No one has ever found a hole in it because no one has ever managed to keep it up and running for long enough to find one without it crashing first.

Re:IIS 6

[wwmedia]

now now no need to get nasty about IIS6 just beacause its a microsoft product!

IIS6 is very good and new IIS7 is even better, also to note on all the 11 Suse dedicated servers i run i switched from Apache 2 to a lighter, less resource hoging alternative

Btw IIS6 has less unpatched vulnerabilities than apache

so there

Re:IIS 6

[Viraptor]

> IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

"Microsoft Internet Information Services ASP Code Buffer Overflow"
http://secunia.com/advisories/21006/

Software:
- Microsoft Internet Information Services (IIS) 5.x
- Microsoft Internet Information Services (IIS) 6

Impact:
- System access
- Security Bypass

Where:
- From remote

"hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever ;)

Re:IIS 6

[grub]

What did you switch to?

Re:IIS 6

Maybe less "publicly known" unpatched vulnerabilities

Re:IIS 6

[EraserMouseMan]

From your link, "Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."

This is not a remotely exploitable bug. Nice try though.

Re:IIS 6

The problem isn't with IIS 6, it's with the only foundation that IIS 6 runs on.

Re:IIS 6

[guruevi]

Oh really, you don't think there are hundreds of apps out there that allow you to upload any type of file out there?

It's remotely exploitable, if the programmer is dumb enough. Then again, so is Apache + PHP.

Most server-related exploits are not through visible and administrated or configured services but rather through side-services like RPC in combination with ineptness of programmers and admins. That's what makes the Microsoft platform so darn insecure, there's by default hundreds of services running that nobody knows about or everybody forgets and that have open ports to the outside world. It's also 'too simple' for any CIO to set a server up so there are hundreds of servers that are clicked rather than built together.

Yes, they're trying to catch up and yes, you should have a firewall, but the power in services/servers on *nux is (for most distro's) the defaults it comes with and the simplicity yet strength and visibility of the configuration and security (who doesn't like to see ALL settings in a single flatfile with the possibility of extra comments instead of through hundreds of windows with unexplained commands and options or with a single command see all rules applied to the firewall).

Re:IIS 6

[TheRaven64]

I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.

Re:IIS 6

[Viraptor]

Oh - I'm sure, that in the darkness of interwebs, there is some forgotten script, that includes file which name consists of one of GET attributes + ".asp". Yes - some web developers are that clueless. If I understand description correctly, exploit depends only on the name of included script.
I suppose that's why it's marked "remote" by Secunia.

Anyone got IIS6 to try?
Ahh... I forgot, it's slashdot :)

Re:IIS 6

[Doctor+Memory]

It's remotely exploitable, if the programmer is dumb enough. Then again, so is Apache + PHP. Doesn't PHP stand for Pretty Hopeless Privacy? I remember it used to be pretty trivial to do SQL injection attacks against a pretty wide spectrum of PHP sites back in the dot-bomb days. Hopefully it's gotten better as security has gotten more press, but even if it's gotten twice as good as it was, that's still pretty bad...

Re:IIS 6

[Bishop]

Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.

Re:IIS 6

[Viraptor]

SQL injection doesn't have anything to do with PHP. You can create query ("DELETE FROM "+user_supplied_var) and run it in any language - PHP, ASP, ASP.NET, perl, etc. If you want to shoot yourself in the leg, noone will stop you.
PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself.

Re:IIS 6

Apache is so-named because of all the patches that it had applied to it.

Clearly, you have no fucking clue what "patch" means in this context (NCSA/Apache). Moron.

Re:IIS 6

[toadlife]

Most server-related exploits are not through visible and administrated or configured services but rather through side-services like RPC in combination with ineptness of programmers and admins. That's what makes the Microsoft platform so darn insecure, there's by default hundreds of services running that nobody knows about or everybody forgets and that have open ports to the outside world. It's also 'too simple' for any CIO to set a server up so there are hundreds of servers that are clicked rather than built together. Yes. Damn Microsoft for making their server products so easy to use.

Yes, they're trying to catch up and yes, you should have a firewall, but the power in services/servers on *nux is (for most distro's) the defaults it comes with and the simplicity yet strength and visibility of the configuration and security (who doesn't like to see ALL settings in a single flatfile with the possibility of extra comments instead of through hundreds of windows with unexplained commands and options or with a single command see all rules applied to the firewall). I'm not sure what your complaint is. If you want to administer Win2k/IIS6 from the cli you can, as Win2k3 comes with all the necessary cli tools. IIS6's config file happens to be an xml file too, so you can configure IIS6 with nothing but your favorite text editor - and unlike Apache, you don't even have to restart the IIS after editing it's configuration.

Re:IIS 6

[jimicus]

I suspect you'll find that most web exploits today rely more on the application than the web server. There's only a handful of web servers in common use today and the core developers all understand the potential security issues that surround them. I'd argue that this is not the case for web applications and frameworks.

Re:IIS 6

[Ash-Fox]

IIS6's config file happens to be an xml file too, so you can configure IIS6 with nothing but your favorite text editor

Although admittedly, XML files can be annoying to deal with by hand.

and unlike Apache, you don't even have to restart the IIS after editing it's configuration.

I cannot remember a time I couldn't do /etc/init.d/apache reload (or whatever the init.d file for your apache install is called).

Re:IIS 6

[krenshala]

But if you don't run the modules you don't use Apache doesn't use the resources those modules would require.

Re:IIS 6

PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself. The effort one had to go to to write a secure PHP application was significant compared to other languages.
Just because it's possible to do all things in all languages doesn't mean that all things are equally as easy in all languages.

Every other language with a database access library supports bind variables.

Re:IIS 6

Ok, you're right, if someone's web server is configured to allow you to upload ASP then you are vulnerable. But that doesn't matter. If you're configured to allow ASP uploads then someone just writes the "download your data and format your hard drive" ASP script, uploads it, and then requests the page. You're already owned without the exploit.

But perhaps more importantly if you go to Microsoft's security bulletin for this (http://www.microsoft.com/technet/security/Bulleti n/MS06-034.mspx) you'll see that IIS 6.0 has multiple mitigations for this issue. The 1st is that ASP is not enabled by default in IIS. The 2nd is that ASP runs as the low privledge NetworkService account. So basically someone, other than MS, had to be an idiot at least twice for IIS 6.0 to get exploited. I think you can probably include using classic ASP as being an idiot as well which puts the count up to 3.

Now that's not to say that IIS 6.0 didn't have a vulnerability here. But if we were talking about OpenBSD the n in "only n exploits in the last x yaers" slogan would not be revised for this.

Re:IIS 6

[toadlife]

I cannot remember a time I couldn't do /etc/init.d/apache reload (or whatever the init.d file for your apache install is called). Yes. And...
/etc/init.d/apache reload
...is the equivalent of...
/etc/init.d/apache stop && /etc/init.d/apache start

Re:IIS 6

[Ash-Fox]

Yes. And... /etc/init.d/apache reload ...is the equivalent of... /etc/init.d/apache stop && /etc/init.d/apache start

No, that would be '/etc/init.d/apache restart'.

Reload keeps Apache running.

Re:IIS 6

[toadlife]

No, that would be '/etc/init.d/apache restart'.

Reload keeps Apache running. No. It doesn't.
On some init.d scripts I've seen for apache 'restart' simply calls '$0 reload' or vice versa. Either way httpd must be stopped and started to read the config file again.

Log onto one of your Apache servers and look at the /etc/init.d/apache script if you don't believe me.

Re:IIS 6

The top 10 was in 2000 www.sans.org and covered BIND 8.

BIND 9 has a lot better record. BIND 9 was designed to die when a programing error was found rather than continuing to execute in a known bad state. Despite thousands of assertion checks there have only been a small number of externally triggerable DoS events against BIND 9 www.isc.org.

Re:IIS 6

[Ash-Fox]

Upon further investigation, you are technically correct that Apache gets restarted.

However, in my init.d script, it basically launches 'apache2 graceful', which starts a new apache process to handle connections with the new settings while existing connections remain on the old child processes which die when the previous connections have finished processing. The disadvantage?

I don't really see any, there certainly isn't any conflicts with the old/new settings that may effect the entire environment since the processes are completely separated. No connections are lost in the process -- that is a pretty graceful way of handling things.

How does IIS get a advantage over this? I don't know.

Re:IIS 6

[guruevi]

That's exactly the way IIS does it too. If you 'change' the configuration, it will keep handling the old connections within the old threads and the new connection in a new thread, it's just less transparent. The worst thing in IIS+ASP(.NET) is if you change the configuration in your .NET worker processes, you need to effectively kill the worker process to take the change in configuration thus losing your cache and sessions that the programmer let handle by the system.

Re:IIS 6

[guruevi]

Take an example: a hosting company. Any ASP.NET script, although running as Network Service as you say, can read/write/execute/stop/start anything within other processes running under the same worker processes. Give each customer it's own worker process you say? Won't work, you can circumvent that, and besides that do you know the cost of that (100-300MB/worker process, yes that's what it takes to just start a W3WP process). Another example: SharePoint Server 2007, requires your Worker Process to run as a privileged users in case you are running a web farm.

Re:IIS 6

[toadlife]

The disadvantage?

None, except that you have to manually initiate the "restart" when a config change is made. I never implied that there was any particular fault in Apache. I just pointed out some things you didn't seem to know about IIS and you took it as some sort of slam on Apache, which it wasn't.

Re:IIS 6

[seizer]

Only if you keep your sessions in the same process as your application. ASP.NET supports keeping your session in another process (potentially on another machine) or in a database (slightly slower, but can survive server restarts etc). See http://www.eggheadcafe.com/articles/20021016.asp for a quick summary.

You're correct about the application cache not surviving config changes, though typically this shouldn't be an issue as cache is only for convenience: users won't feel the difference if there's a cache miss, but they will feel the difference is the session is lost.

Re:IIS 6

"Superficially Lighttpd does all the right security things"

No it doesn't. Its had lots of "crash bugs" that might well be exploitable but nobody bothered to look into it. A buffer overflow was pointed out here on slashdot which got silently fixed in CVS with no notification at all. Lighttpd is proof that you can put "secure" in the feature list of an insecure, buggy, unstable pile of crap and web 2.0 morons will think that means something. All of the other event driven http daemons are better: nginx, cherokee, hiawatha, etc.

Look at me, I'm a hacker

$16000 is not worth the time to make the internet safer. Now stop bothering me while I spend my time trying to figure out how to save $15 by cracking DVDs. After that, I'm off to steal some music.

Re:Look at me, I'm a hacker

[grub]

Thanks for the laugh, that was great! :)

Re:Look at me, I'm a hacker

>I spend my time trying to figure out how to save $15 by cracking DVDs.

That's $15(x), where if "x" is the number of DVDs I would be will to buy given that I could only require DVDs by $15(x).
But once x is no longer bound by $15(x), then to me x > $16,000. Thus concludes our little lesson in microeconomics.

Re:Look at me, I'm a hacker

[int14]

Breaking DVD encryption is important for fair use IMHO, and I doubt the guys who have worked on this are completely motivated by saving money buying DVDs.

Re:Look at me, I'm a hacker

[that+this+is+not+und]

Now stop bothering me while I spend my time trying to figure out how to save $15 by cracking DVDs.

Once I 'figure out how to crack DVDs' it's trivial to go out and find 1000 DVDs at libraries, rental outlets, friend's DVD collections, etc. Probably all 1000 could be cracked and duplicated faster than finding one of these bounty exploits.

From the FA

[crush]

# # 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge

So, it would be reasonable to assume that any development branch stuff including current CVS snapshot would be inadmissible.

Re:From the FA

[xenocide2]

But it's a good question: how much do you trust the CVS authors? 16 thousand might be chump change, but how bout a couple million?

Entrapment?

[Anarchysoft]

Considering that creating exploits and/or publishing them is considered a criminal offense in some jurisdictions, I wonder how many submissions they'll get. Especially when a good unknown exploit could be worth far more than 16,000.

Ha!

[Joebert]

$16,000 ?
That's it ?

That type of exploit is worth at least a brand new BMW.

Re:Ha!

or owning slashdot several times, changing low uid passwords
to owned, and otherwise making commander taco cry.

Re:Ha!

[ewhac]

That type of exploit is worth at least a brand new BMW.

Here ya go...

Schwab

Re:Ha!

$16,000 ? That's it ? That type of exploit is worth at least a brand new BMW.

I'd rather have the cash. BMW is not what it used to be. I swear the only thing "special" about those cars now is the badge.

Re:Ha!

[itwerx]

I'd rather have the cash. BMW is not what it used to be. I swear the only thing "special" about those cars now is the badge.

That is correct, and directly attributable to Ford Motor Company owning controlling interest for some years now. Same is true for Rover.
      (Ironically Jaguar actually got better after Ford took them over. :)

Not to mention ability to convert O2 to CO2...

[Kadin2048]

Also, you may be able to collect multiple bounties from different organizations for the same hole.

True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

Re:Not to mention ability to convert O2 to CO2...

[peragrin]

>>True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

I didn't sign an NDA when i started working for the..... Oh high Vladmir, what are you doing he.....

Re:Exchange

[DrLov3]

Pfff.... Ms. Echange ....

No need to find a flaw, Ms exchange will crash on it's own. :P

Free money

[ThanatosMinor]

I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

1. Leave subtle flaw in your code
2. Share information with distant acquaintance
3. Profit!

Re:Free money

[Nos.]

From Anton Chuvakin's Blog:
...most scary cyber-criminal of the future is not a spammer, a scammer, a phisher or a pharmer, and not even a good ole "cracker" - it is an unethical software engineer, who changes the code slightly to introduce a weakness (or a full-blown backdoor or a logic bomb) and later uses or sells this knowledge

Re:Free money

You forgot a step, theres no way your plan will ever succeed without "???"

Re:Free money

[geekoid]

I'm going to write me a winnabago!

Obligatory

1. Find 12 Exploits
2. Submit 6 Exploits
3. ????
4. PROFIT!

Multiple choice for #3 today, class...

A) Collect $16,000
B) Create botnet using other 6 exploits and rent to spammers - Collect $???,000
C) Wait for next contest, submit remaining exploits - Collect $newprize, repeat
D) All of the above

Bidding war.

[khasim]

Suppose you know an exploit in IIS or Exchange.

Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?

Re:Bidding war.

[MarkGriz]

"Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?"

Neither. You auction it off to the highest bidding spamgang. Or so I've heard.

LIGHTTPD!

[wwmedia]

oops LIGHTTPD cant edit damned comments, it was meant to have a hyperlink to lighttpd.net

Internet infrastructure technologies?

[rrohbeck]

>the following Internet infrastructure technologies:
Since when are we using marketing speak here? Can we please call them programs or program systems?

maybe someone has already done the work

[7-Vodka]

...arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.

Maybe there are people out there who already have more than one exploit for these and wouldn't mind trading one in for a legal source of quick cash. Who knows? 16k buys very a nice chunk of electronics for people who don't need the money for anything else.

Already in real life.

[Actually,+I+do+RTFA]

Somewhere, I believe in one of Scott Adam's (the Dilbert creator) books he has a (purportedly) true story about a company where the testers were paid $100 per bug they found. According to him, the program was scrapped after a week, but not before quite a few expensive gifts went from testers to programmers.

It seemed like the an urban legend ala the Woz getting $100 for each chip he got off a board, but I've heard that that one is actually true, so maybe both are??

Yes, it's the fallacy of assuming the whole set has parts comprable to one element. Yes I know this. Please mod the logic Funny and the first paragraph Informative.

Thank You

Re:Already in real life.

[Bishop]

I can't speak to Scott Adam's story, but I do know of a large shop that thought a bug bounty like that was a good idea. A rising star in management with little technical knowledge but lots of new ideas thought that a bug bounty would be a good motivator for QA. Fortunately for the company the idea was squashed by a number of experienced software engineers before it was implemented.

Along a similar vein one of the companies I worked for had an idea for spurring innovation and lateral thinking. The program was designed to find small improvements and cost savings on the production floor. The company offered a reward based on a percentage of the cost savings as well as a small gift. To give an idea of the expected cost savings the gifts ranged from golf shirts to pen sets with the company logo. Nothing fancy. This program worked well until an employee found a way to save 15 million dollars. The employee did receive the award but it was the last award paid. While it is nice of the company to offer incentives for new ideas, as this employee was an engineer it could easily be argued that it was his job to find 15 million dollars savings.

Re:Already in real life.

This program worked well until an employee found a way to save 15 million dollars

let me guess.. "hey, guys? the cost of all these little savings gifts.. well, it totals $15 million.. just thought you should know".

Re:Already in real life.

[Phleg]

What the fuck? Employee figures out way to save us $15 million. Employee parts with $1 million. Net savings: $14 million. So the company netted $14 million, and suddenly thinks this whole thing was a bad idea?

Re:Already in real life.

[zerkon]

The Air Force has a program called Innovative Development through Employee Awareness (IDEA) where they offer cash rewards for ideas that save the AF money. Here's a link to the story of a guy that saved an estimated $1.4 million and got a nice check for $10k for his effort...
http://www.af.mil/news/story.asp?id=123048910

Re:Already in real life.

[petermgreen]

i'm sure small bonuses can be a good motivator

but in this case you have to ask was he expecting a bonus that big for it and if so would have have released it if it hadn't of been. If not then all the excessively sized bonus would do is cost the company both the money and probablly the employee too.

Bragging All the Way to the Poor House

[queenb**ch]

Here are the terms of the challenge -

* The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above

Ok, so you pick some of the oldest and most robust technologies around - things that have had a LOT of the bugs worked out of them already and things are you're not that likely to have to pay out on.

* The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
* 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge

So you eliminate any upcoming versions, but you forget to exclude the previous versions....

* The vulnerability must be original and not previously disclosed to any party

So if I've already informed the software maker, it's out, further reducing the likelihood of any kind of a payment having to be made.

* The vulnerability cannot be caused by or require any additional third party software installed on the target system

Reasonable, but...and this is a big but....many things are quite secure on their own, but not so much so when you actually start using them. Prime example, Apache. Apache on it's own is fine. Install one of the open source PHP web apps and then see how secure it is. How many people run Apache serving up hand coded HTML?

* The vulnerability must not require any social engineering

This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.

PHOOEY ON YOUR CHALLENGE

It would take me a lot of man hours to come up with something, more to code an exploit for it and by the time I'm done...I'd be better off financially if I had worked at Wal-Mart for those hours. $16,000 divided by 4 (people on my team) = $4000 each. Let's say we spend 5 weeks on this. That's 200 hours each. That works out to having a chance to get $20/hr. And frankly, I think that 200 hours each is pretty optimistic. We're talking about pouring over their code base, becoming familiar with it, and looking for places that we can try to break it. That's in excess of 89,000 lines of code just for Apache and more than another 70,000 for Sendmail. Then we have to load it up, write some code to test the exploit, and run it to see if works. If it doesn't on the first try, it's rinse and repeat until we give up on that possible exploit and try a different one.

I'm guessing that this is more of a publicity stunt than anything else. Anyone in the industry should know better. This has to be something that the marketing poohbah's have dreamed up. Just more marketing hype so that they can say, "We're more secure than those other guys. We ran our challenge and we didn't get anything. These apps are safe to use."

2 cents,

Queen B.

Re:Bragging All the Way to the Poor House

This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.

No, this is because anyone with half a brain cell can understand the difference between a vulnerability in the software and a vulnerability in the system around the software.

Coworkers like you drive me nuts, when they spend all their limited capacity for thought on pointless nitpicking, and think they're geniuses because they can complain faster than smart people can do work.

Re:Bragging All the Way to the Poor House

[laffer1]

In the western world, you are right about how stupid it is. However, in say india where they work for practically nothing it would be some real money. They could buy a village or something.

Re:Bragging All the Way to the Poor House

And we have the definitive post on the topic. Thank you. Sums it all up. When are the marketeers going to realise that this sort of stunt doesn't convince anyone.

Re:Bragging All the Way to the Poor House

[jimicus]

The vulnerability cannot be caused by or require any additional third party software installed on the target system

Exactly. Apache without any extra modules, just the core? There's not much to exploit, and that which there is has been worked over and over for years.

Re:Bragging All the Way to the Poor House

If you lived in India $20/hr is a good wage.

Re:Bragging All the Way to the Poor House

[RightSaidFred99]

Uhh, wow. Dumbest. Post. Ever. Every one of your points is just silly. You act as though they should just offer up money for any old exploit, then you go through an inane exercise to address their points with your own asinine play by play. I want the 30 seconds of my life it took to dismiss this post as being retarded back.

Re:Bragging All the Way to the Poor House

Most apache modules aren't "third party"

Tried Google?

[Anarchysoft]

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever." That's funny. A quick search seems to reveal many!

Re:Tried Google?

Just to narrow it down, I redid your search with quotes and found 67. But the first one's a blast. It goes to the "w4ck1ng" forum where the thread goes...

"Hello found this exploit: http://www.derkeiler.com/Mailing-Lis...5-04/0436.h tml I have compiled it. And when i run it under linux, it gives me this error! [cut for brevity] ./iis.exe: 3: Syntax error: word unexpected (expecting ")") Anyone ?"

...and the response goes:

"you can not use exe files under unix y0u have to compile it with GCC..."

I *think* IIS is safe from *this* guy...

Re:Tried Google?

[Otter]

Warning up front: DO NOT RUN THE CODE IN THE BELOW LINK, YOU HALFWITS!!!

Ok, now a clarification: the code I think you meant to link to is not an exploit for IIS, it deletes the 1337 h4x0r's files. The exchange is a good way to run out the clock on a Friday, at least through:

You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here!

Re:Tried Google?

[Zamolx3]

You don't know what you are talking about. There is no serious remote vulnerability for IIS6. Those results are just crappy lame "flaws" written by crappy lame "hackers" looking for fame.

Re:Tried Google?

[ad0gg]

I like how the second result listed is actually trojan program that runs rm -rf /. There aren't any remote exploits for IIS6 which is a 4 year old product.

Re:Tried Google?

[Anarchysoft]

I'm not going to claim to be any kind of expert on the subject, but I did bother to look at some of those exploits that turned up and I think you should double check your claim. For example, here's one posted by Microsoft. Are you claiming all of the exploits don't work and if so, why? Do you think IIS 6 is invulnerable?

Re:Tried Google?

[Anarchysoft]

There aren't any remote exploits for IIS6 which is a 4 year old product. Do you mean like these?

Re:Tried Google?

[ad0gg]

I don't consider a DOS an exploit. Like the article, we're talking about being able access the system. As it still stands per the article definition, there are no remote exploits for IIS6.0. Can the same be said about apache?

Re:Tried Google?

[Anarchysoft]

I don't consider a DOS an exploit. Like the article, we're talking about being able access the system. As it still stands per the article definition, there are no remote exploits for IIS6.0. Does this look like a DoS to you?

Can the same be said about apache? This is not about httpd versus IIS 6. The statement was that there were no remote exploits for IIS 6 and it appears that there is evidence to the contrary.

Re:Tried Google?

[dedazo]

Read through that advisory and then get back to us on the amount of things that have to be screwed up in the basic setup of a Server 2003 box before this vuln will work.

If this had hit one of our servers, it wouldn't have worked because the "classic" ASP ISAPI handler is disabled by default, and that's how we leave it. And even if that were not true, you'd end up with the same privileges as the NETWORK SERVICE account, which on 2003 is basically useless. AND you still would need to have configured the root of your website to allow for authenticated uploads. Duh. That's about as terrifying as a "NAKED PCITURES OF TEH BRITTANY SOPEARS!!!" email with an EXE attachment. I doubt it affected any large number of servers.

Re:Tried Google?

[Shados]

As pointed by many, the thing you showed isn't remotely exploitable. You need another mean of access to the machine, with freagin write access, to put code in a folder where it has script execute permission. Basically, you need a freagin account on the box. Not quite it.

Re:Tried Google?

[Anarchysoft]

If this had hit one of our servers, it wouldn't have worked because the "classic" ASP ISAPI handler is disabled by default, and that's how we leave it. And even if that were not true, you'd end up with the same privileges as the NETWORK SERVICE account, which on 2003 is basically useless. AND you still would need to have configured the root of your website to allow for authenticated uploads. So on a shared host that supports ASP, if one shared account does this exploit, would they not get access to all of the others?

Re:Tried Google?

[Anarchysoft]

As pointed by many, the thing you showed isn't remotely exploitable. You need another mean of access to the machine, with freagin write access, to put code in a folder where it has script execute permission. Basically, you need a freagin account on the box. Not quite it. So then a poorly designed ASP upload page that is exploitable (as many upload forms are) would or would not then allow wider access to the box?

Re:Tried Google?

[darthflo]

As already noted by someone else (it's nearly 0200 here, too late to search thru them other comments, sorry), this requires write access to an ASP-enabled web folder. It may be exploitable remotely but I think "remote" might also commonly imply "anonymous"...

Re:Tried Google?

[dedazo]

Not if you've hardened the configuration correctly, which you would technically do regardless.

The first thing I did when I moved to my current shared hosting provider was request information on their IIS configuration to make sure it was sufficiently hardened to prevent something like this to affect my site.

Re:Tried Google?

[Shados]

Yup, but its a local exploit. Otherwise, that would be like saying that if there's such an exploit in, let say, Open Office that could somehow in an alternate dimention allow you to get root, that its a remote exploit because a poorly managed VNC access would let you do it remotly.

Re:Tried Google?

[weicco]

Yes. Just like this would:

<?php eval($_GET['code']); ?>

Or like this:

<?php include($_GET['url]); ?>

Comes to mind... That last one was used when some people I know from IRC cracked open one TV company's web site here in Finland.

But above examples doesn't work in IIS6/ASP.NET since framework doesn't let you shoot yourself in the foot so easily. ASP.NET checks input and prevents submitting suspicous data unless you specifically tell it to let it through. Also you would have to write something like 10 rows more code to compile and run code on-the-fly.

Re:Tried Google?

...trojan program that runs rm -rf /. Do I read that right? rm -rf slashdot?

Heh

[Stormx2]

The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: ... Microsoft Internet Information (IIS) Server and Microsoft Exchange Server

How do they expect to find $16,000 a day? Bank robberies?

Re:Heh

[that+this+is+not+und]

I think what they're doing is saying 'put up or shut up' to people like you who make uninformed "clever" comments on Slashdot.

And guess what. It isn't even plain old 'put up or shut up.' If you manage to 'put up' you also get sixteen grand.

Is it just me

Is it just me or is anybody else tired of hearing the phrase "zero-day" on a daily basis?

Re:Is it just me

I was tired of it on day zero.

$16k? Peanuts...

[pp]

The criminal underground (russian mafia etc.) supposedly pay $50k-$100k for zero-days, if you're after the money might as well sell your exploit to them.

If you're after fame, you report it through the proper channels (CERT or the vendor directly). You get credited in the bugfix, but gain no money at all.

Selling to one of these guys just goes into the pockets of these zero-day vendors, who then get more customers paying them $$$ to be a few days ahead of everyone else (but they'll get the patches at the same time as anyone else anyway, their IDS's just get signatures for these new exploits)

Is that legal?

[HalAtWork]

Could I just offer up a $16,000 bounty as well? 'Cause there's plenty of money to be made with 0day flaws.

Anyone can discover them, so it's plausible that two people can know the same flaw. So one party gets the flaw and gives the $16,000, then communicates the exploit to a third party who hacks in and gets trade secrets (or teh g0ld) and sells those, or whatever.

Re:Is that legal?

[glwtta]

I don't think even the most overzealous MPAA sponsored digital security legislation covers knowing about an exploit, yet. In your situation the third party would be breaking the law, those who discovered the flaw would likely be breaking the law (under the aforementioned overzealous legislation), but I don't see what you could pin on those who paid for the information.

Chump change

[Plutonite]

$16000 is nothing. If you run a botnet you can have $10000 rolling in per week, alternatively if you have undisclosed vulnerabilities and the right contacts, you wont bother with the silly bot-masters who will get you discovered even though they will gladly pay anything from 50 - 150 grand for a remote hole. More likely, you would save up the good holes for high-paying, one shot mob deals against banks, and maybe government intelligence (they have a big budget for that in Soviet Russia and China). 16000 dollars? No, sorry, IIS is perfectly secure!!

PS: I am not some shady person who wears black hats. Hacking is too dangerous for a nice guy like me, even though almost anything can be done with time and dedication..even the functions that check string lengths to prevent overflows can be hacked :D

Re:Chump change

[that+this+is+not+und]

they have a big budget for that in Soviet Russia

There ain't any Soviet in Russia anymore. It's been privatized. Otherwise it's much the same, though.

Just $16000. I guess some 0 are missing.

[inews.110mb.com]

Just $16000. I guess some 0 are missing. There are more info on http://inews.110mb.com/

This is easy... Call the Romanian techies...

[HOTTILA.COM]

Romania rocks.... they have the best Hackers in Europe!

FYI

[Slashcrap]

I guess some people reading this may be more used to Windows and therefore not entirely familiar with the functionality of the Unix packages that were mentioned. Allow me to summarise :

OpenSSH - A service you can install on a Unix system to enable remote admin access for known users.

Sendmail - A service you can install on a Unix system to enable remote admin access for complete strangers.

Hope this helps.....

Oh Great

[Evets]

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever."

LMAO.

Did Microsoft hire Baghdad Bob as their PR guy?

Re:Oh Great

[madsheep]

So name one remotely exploitable vulnerability in IIS 6.0. Should be simple right? I'll pay you $16,000 when you point it out. :D And no pointing to an ASP vulnerability that requires the user to be able to upload and execute the file doesn't count.

Re:Oh Great

[Evets]

Have a peek at the 695,000 google results.

You can play games all you want with words - "we don't have any <insert restrictive adjective here> exploits" the fact is that IIS has historically been and always will be a security nightmare.

It took Microsoft what - 10 years - to actually prioritize security measures in their web server? And you think they got it right the first time?

Re:Oh Great

[ThinkFr33ly]

The fact remains, IIS 6 has never had a remotely exploitable hole. Period. And it has been on the market for over 4 years.

Microsoft learned from their mistakes and are making their software secure, not just by Microsoft standards, but clearly by any standard.

You can talk about old versions of software all you want, but it's just an attempt to deflect from the fact that your comment about "Bagdad Bob" would be more accurately assigned to people like you, not Microsoft.

Re:Oh Great

[Evets]

You are plainly wrong, and frankly it's not worth arguing about any more.

Your comment history shows an uncanny bias towards Microsoft products in defiance of logic. So what are you, an MS employed astroturfer or a fanboi?

Re:Oh Great

Wow, why not actually link to an IIS6 exploit meeting the stated criteria, if you're asserting that any exist? Seems to me that IIS6 is a great deal more secure than Microsoft's earlier offerings(which as you note were notorious), and that you're simply extrapolating from your experiences (or other people's experiences!) with past versions.

(By the way, since you won't be able to Slashdot-stalk me, what with this being an AC post: before you accuse me of being an obvious Microsoft shill, be aware that I'm posting this from a Debian Linux box, on which I run Apache 2.2.3. I've never run any version of IIS and I pretty much share your prejudices about it, but I'm willing to admit being wrong about it if the software has actually improved, which many people here are saying it has.)

Re:Oh Great

[that+this+is+not+und]

Don't redbait. Answer his question. Or continue to look increasingly foolish, I guess.

Re:start here OR here!

[awpoopy]

http://secunia.com/product/1176/?task=statistics

Re:Exchange

[dwarfsoft]

Well, at least Exchange on SBS 2003 needed the service restarted every day due to the caching in memory of all emails converted to HTML for OWA. I found that to be unbelievable. On the servers that we put out there if they ran for a Week then Exchange would eventually take over all available RAM and the server would run like a dog.

I don't know if Microsoft ever put out a fix for that flaw, but it has been a while since I have installed SBS 2003. It certainly isn't a bug that is exploitable for remote code execution.

As a sysadmin I would like to thank Verisign

[skinfitz]

...for creating a 'busy work' distraction for the geek students who would normally spend the summer holidays writing this year's worm.

I work for VeriSign iDefense...

...but my opinions are purely my own and I speak for myself, not my employer.

Anyone "in the industry" already knows about iDefense and their Vulnerability Contribution Program, so you obviously are not. iDefense isn't the only company that posts challenges or pays for vulnerabilities. Perhaps you should read up at http://labs.idefense.com/vcp/

It is not a marketing ploy or publicity stunt. The iDefense business is about selling internet intelligence, not pushing anyones software. This is an initiative to discover critical vulnerabilities in those applications so that they can be patched. Nothing more. If you believe that BlackHats aren't already looking for vulnerabilities in those applications then you need to get a clue stick and start whacking yourself over the head with it. The VCP gives WhiteHats (and GreyHats) incentive to find them first, so that they can be dealt with responsibly rather than end up a zero-day exploit.

The applications chosen are old and considered robust. That's why they form the backbone of the internet in the first place. And also why a critical bug in them could bring the internet to its knees. Any QA engineer worth their salt will tell you that the first place to look for a bug is in software that has shown itself to be buggy - and that applies at whatever level you want to consider - block, function, class, library, application or suite. sendmail anyone? Bind? If you believe that there are no more bugs to be found then you are likely mistaken. I think iDefense will (gladly) pay out on more than one of these applications during this challenge.

The terms to the challenge are fairly standard and non-onerous, and I think you're reading too much into them. The version restriction is purely because no-one is interested in vulnerabilities in Apache 1.4, nor IIS 5 anymore. The additional software clause is again non-onerous. Your example isn't valid as a vulnerability in e.g. vBulletin would be a vulnerability in vBulletin, not a vulnerability in apache itself. Now if you could make a well configured mod_php fall over and clobber the box without requiring badly written php pages installed, then I think they'd be interested in that. The term about having not previously reported it is so that the vulnerability can be labelled iDefense-exclusive, adding value to the intelligence report.

Ask yourself where the iDefense business model is if there were no vulnerabilities in any software. The entire business is built on the premise that there are vulnerabilities and that there are customers willing to pay for intelligence reports about them, and vendors willing to receive notifications about them. iDefense would love to pay out on all of those prizes.

iDefense do not sell any software, so there is no reason to say "We're more secure than those other guys". They sell actionable internet intelligence. http://www.verisign.com/Resources/Managed_Security _Services_Tours_&_Demos/security-threat-video.html shows one way that this intelligence is used.

Frankly, maybe you should stick to Walmart as you don't seem to know much about the internet security business. I doubt that you could make a living in it. You should get your patch installed.. :)

(BTW - for all the slashdot VeriSign haters out there - after over a decade in the workforce with multiple employers, I can honestly say that I have never worked for a company so committed to helping customers solve problems. Every engineer I work with is dedicated to making the internet a better, faster, safer internet, and I work among extremely smart people who have respect, integrity and drive.
So the company implemented a RFC1034- and RFC1035- compliant service a few years back before pulling it after customer feedback. Get over it already.)

Re:I work for VeriSign iDefense...

[queenb**ch]

First off - Anonymous Coward, I at least have the cojones to put my name on what I write. Secondly, your challenge is marketing hoo-ha. And since you sell "actionable information", your company is definitely in the game. You're definitely trying to tell people that you are more secure than the other guys and that your information is worth paying for. Which means that basically the whole first half of your post is...well bull. Yes, I'm tossing the big brown Bull$hit flag. No, you're not the only company that does this. However, you're probably one of the worst paying.

I didn't say that there weren't any more bugs in them. I said that what you're paying doesn't make it worth looking. There's a big difference in those two statements and your deliberate attempt to obfuscate the issue is just patently ridiculous.

As for making a living in the security industry, I do it every day. People hate VeriSign because your company has it's head so far up it's own butt, you look like a mobius strip. You can to www.dictionary.com or to www.wikipedia.com to look that reference up :) How many of your code signing certs have been socially engineered out of your company with names on them like "Microsoft"? It's amazing to me that you're still around.

Re:start here OR here!

[that+this+is+not+und]

That's a little like implying that the fact that you can (probably) compile Apache 2.0 to run on Solaris 2.5 means there is something buggy about Apache 2.0.

$16k

money is the source of all evil code ... wait ... or is it the other way round?

Surprised

[Myopic]

I'm surprised to see Microsoft's server software in there. I'm not surprised because I thought IIS was insecure, I'm surprised because I didn't realize it wasn't secure, I just assume it was, and buggy generally, like all other Microsoft software. Certainly, the few MS programs I've used were buggy (XP, Word, Vis Stu, SQL Server) so I assumed they all were. If Microsoft has the institutional ability to make bug free software, then why don't they make more of it? Why don't they share the magic team of wizards who built IIS with the rest of the company?

Maybe I should ask for corroboration. Is IIS really bug free software? I mean, at lease for security bugs?

Re:Surprised

[Darby]

Maybe I should ask for corroboration. Is IIS really bug free software? I mean, at lease for security bugs?

Bug free? No, it's a fucking joke in that respect. Security bugs? There don't seem to be many.
Of course with a brand new install being hit only with HEAD requests from the Load Balancer it goes down faster than a Tijuana hooker. Presumably, MS would call that a feature, but it's quite obviously a very badly broken piece of software.

easy money...

[illuminatedwax]

...for any developer of Sendmail or Apache or BIND sneaky enough to slip in a new security hole.

Has anyone else noticed that the acronym for...

[Helldesk+Hound]

> The bounty is for a zero-day code execution hole on the following
> Internet infrastructure technologies: Apache httpd, Berkeley Internet
> Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft
> Internet Information (IIS) Server and Microsoft Exchange Server.

Anybody else noticed that the acronym for "Microsoft Internet Information Server" (MIIS) is pronounced "miss"? :o)

Conveying gravity

[adamofgreyskull]

In this case, "infrastructure technology" doesn't seem so assinine. Services like BIND, Sendmail, httpd, IIS are pretty much What the Web Runs On(tm).

You run your website on a lighter!

That's wicked man, just wicked. This, folks, is a true geek!

Apples and Oranges...

[SanityInAnarchy]

Cracking DVDs is easy, and it helps fair use (playback on Linux, etc).

Cracking most of this stuff is, I'd imagine, significantly harder -- after all, it is possible for Apache to be secure, whereas it's not even close to possible for DVDs to be uncrackable.

That's ignoring the economics of it -- $15 per DVD? Fine, you just need to sell 1,067 copies and you've made $16k. That's assuming money was ever the point.

Do it then...

So Mr. 733t H4x0r, put your money where your mouth is and produce the exploit and get back to us when you've won the prize. I know lashing out at Microsoft is par for the course here on Slashdot, but you might be intrested to know that according to TFA, IIS hasn't had a single public remotely exploitable hole.

Alrighty Then

[Evets]

Here you go:

Amit Klein has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the WebDAV XML Message Handler not limiting the number of attributes that can be specified in an XML element. This can be exploited through Internet Information Services by sending a specially crafted WebDAV PROPFIND request.

Successful exploitation causes the WebDAV XML Message Handler to consume all CPU resources for a period of time.

1) It's a remote request
2) It's public
3) It's an exploit
=================
But then again, you'd know about that if you followed my first link.

There's a reason that companies like JS Wurzler charge a 15% premium to IIS users.

Count me among the webmasters who abandoned IIS long before the Code Red virus came along. If you want to keep treading in those waters blindly believing that IIS is the most secure web platform feel free. Even Gartner has recommended against using IIS. Yeah, that was before version 6 came out, but really - if things went so far that Gartner actually issued a recommendation do you think it's a smart thing to start using it again as soon as a version upgrade is released?

Re:Alrighty Then

[gkhan1]

Dude, are you completely ignorant of basic security terminology? The bounty asked for "...a zero-day code execution hole...". What you are describing is a DoS attack. There is a vast, vast difference. Either stop blindly bashing microsoft, or put up and actual code execution hole.

Re:Alrighty Then

[Evets]

The article summary itself states:

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever."

I laughed. From there...

• First guy responded with - "don't laugh. It's true. And don't go telling me about the public remotely exploitable bug that everyone knows about since that doesn't count"
• I responded with a link to a google search containing 695,000 results for IIS 6 exploits
• Second guy responded with - "The fact remains, IIS 6 has never had a remotely exploitable hole." - even though I had already plainly shown plenty
• I responded again - showing that guy #2 was obviously a MS zealout of some sort, and also feeling that there was already plenty of information in the thread about IIS 6 exploits
• Third guy responds with "You suck. And don't go looking to see if I'm an astroturfer. I'm anonymous." and "why not actually link to an IIS6 exploit meeting the stated criteria"
• Fourth guy jumps in "Answer his question"
• Then I again follow up by spelling out a long public remote IIS exploit, since 695,000 results just isn't enough.
• And here you jump in saying "that exploit isn't an exploit" when it plainly is

I stand by my laughter at the statement:

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever."

If you don't think it's funny, fine. If you want to use IIS, fine. Do it at your own risk.

IIS 5 was so insecure that you could actually execute code on the host machine by simply accessing a URL - leaving the machine vulnerable even if you were just serving up static HTML files.

IIS 6 is so secure that an end user has to upload a file to execute code on the host machine, or they could just send a webDAV request and effectively remove the machine from service. If you call that secure, fine. You and I obviously have differing opinions.

Yes, IIS 6 is better than IIS 5. To purport that it is a SECURE platform that has never been exploited is just plain false.

Re:Alrighty Then

[that+this+is+not+und]

A more interesting question is:

Is IIS 6 better than a patchy web server?

Re:Alrighty Then

I responded with a link to a google search containing 695,000 results for IIS 6 exploits 695,000 results is terrible, but that's nothing when you consider that there's over 1.1 million results for Linux 16 remote exploits.

Re:Tried Google? You Must Be a N00b

Appearantly what you were looking at was an attempt by someone to discredit IIS 6.
Full Disclosure: IIS 6 Remote Buffer Overflow Exploit ????
Anyone can send an email into FULL DISCLOSURE, it doesn't mean their is any merit to his claim.

Do you see any published remotely executable exploits on secunia?
( http://secunia.com/product/1438/?task=advisories )

I see 3. One has a remotely executable vulnerability. BUT you have to turn on ASP to exploit the vulnerability.
Most organizations that are running IIS 6 are .NET so I highly doubt they will be turning on ASP.

Dont worry Kid.......it's OK to be a N00b.......Just dont talk shit when you dont know shit!

Another Marketing Ploy By MaMa Verisign

This is just another marketing ploy by Big MaMa Verisign.
Someone should offer $20K for Verisign vulnerabilities since iDefense cant publish those.

Just as a hint, start your research with Verisign PKI and focus on sophia.exe.
so next time you see sophia.exe in your browser cache....open it up and view in notepad.
WOW, there is my username and password cched to my browser in a hidden field.

Trust me, there are alot more exploits then that.

Re:Exchange

[jaymz2k4]

where i work we manage a lot of clients sbs servers with exchange and i've not noticed such a performance hit, so im guessing whatever was causing this issue is long gone...

IIS 6 maybe but Windows surely not...

Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever."

I can't comment about IIS 6's apparently good security record... But as IIS 6 only runs on Windows platform it doesn't make much sense to talk about remotely exploitable holes in IIS 6 without talking about remotely exploitable holes in Windows does it!?

I mean, I could read that as "woaw, cool, now I'll install IIS 6 on OpenBSD an I'll have a secure system! Uh, wait, I can't do that!?". Who cares about the security of the front door when the only windows you can have on that house are wide open?

Re:IIS 6 maybe but Windows surely not...

[petermgreen]

attackers can only get in through code that processes untrusted data. Assuming the admin knows what they are doing most of the OS should not be processing untrusted data so the attacker would have to find a flaw in an exposed service to get their foot in the door.

of course once they do get in the design of the OS can help in damage control but they have to be in first.

minor correction

[petermgreen]

replace "if not" with "if he didn't need the huge bonus to find and release the information on the issue"