$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

Re:IIS 6

[Viraptor]

> IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

"Microsoft Internet Information Services ASP Code Buffer Overflow"
http://secunia.com/advisories/21006/

Software:
- Microsoft Internet Information Services (IIS) 5.x
- Microsoft Internet Information Services (IIS) 6

Impact:
- System access
- Security Bypass

Where:
- From remote

"hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever ;)

Re:IIS 6

[EraserMouseMan]

From your link, "Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."

This is not a remotely exploitable bug. Nice try though.

Re:$16,000

Indeed, $16K is exactly 2.5 times the annual salary I used to make when I worked as a software engineer in Egypt.

Already in real life.

[Actually,+I+do+RTFA]

Somewhere, I believe in one of Scott Adam's (the Dilbert creator) books he has a (purportedly) true story about a company where the testers were paid $100 per bug they found. According to him, the program was scrapped after a week, but not before quite a few expensive gifts went from testers to programmers.

It seemed like the an urban legend ala the Woz getting $100 for each chip he got off a board, but I've heard that that one is actually true, so maybe both are??

Yes, it's the fallacy of assuming the whole set has parts comprable to one element. Yes I know this. Please mod the logic Funny and the first paragraph Informative.

Thank You

Tried Google?

[Anarchysoft]

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever." That's funny. A quick search seems to reveal many!

Re:Tried Google?

[Otter]

Warning up front: DO NOT RUN THE CODE IN THE BELOW LINK, YOU HALFWITS!!!

Ok, now a clarification: the code I think you meant to link to is not an exploit for IIS, it deletes the 1337 h4x0r's files. The exchange is a good way to run out the clock on a Friday, at least through:

You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here!

Re:Tried Google?

[dedazo]

Read through that advisory and then get back to us on the amount of things that have to be screwed up in the basic setup of a Server 2003 box before this vuln will work.

If this had hit one of our servers, it wouldn't have worked because the "classic" ASP ISAPI handler is disabled by default, and that's how we leave it. And even if that were not true, you'd end up with the same privileges as the NETWORK SERVICE account, which on 2003 is basically useless. AND you still would need to have configured the root of your website to allow for authenticated uploads. Duh. That's about as terrifying as a "NAKED PCITURES OF TEH BRITTANY SOPEARS!!!" email with an EXE attachment. I doubt it affected any large number of servers.

Re:$16,000

[XenoPhage]

Bullcrap. I live in Pennsylvania and that's still chump change!

Must be nice.. I live in Pa and I'd love to have a extra $16k ...

Alrighty Then

[Evets]

Here you go:

Amit Klein has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the WebDAV XML Message Handler not limiting the number of attributes that can be specified in an XML element. This can be exploited through Internet Information Services by sending a specially crafted WebDAV PROPFIND request.

Successful exploitation causes the WebDAV XML Message Handler to consume all CPU resources for a period of time.

1) It's a remote request
2) It's public
3) It's an exploit
=================
But then again, you'd know about that if you followed my first link.

There's a reason that companies like JS Wurzler charge a 15% premium to IIS users.

Count me among the webmasters who abandoned IIS long before the Code Red virus came along. If you want to keep treading in those waters blindly believing that IIS is the most secure web platform feel free. Even Gartner has recommended against using IIS. Yeah, that was before version 6 came out, but really - if things went so far that Gartner actually issued a recommendation do you think it's a smart thing to start using it again as soon as a version upgrade is released?