Slashdot Mirror
$16,000 Bounty for Sendmail, Apache Zero-Day Flaws
Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"
> IIS 6 hasn't had a public remotely exploitable bug in it. Ever.
;)
"Microsoft Internet Information Services ASP Code Buffer Overflow"
http://secunia.com/advisories/21006/
Software:
- Microsoft Internet Information Services (IIS) 5.x
- Microsoft Internet Information Services (IIS) 6
Impact:
- System access
- Security Bypass
Where:
- From remote
"hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever
From your link, "Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."
This is not a remotely exploitable bug. Nice try though.
Indeed, $16K is exactly 2.5 times the annual salary I used to make when I worked as a software engineer in Egypt.
Hax-fu?