Slashdot Mirror
$16,000 Bounty for Sendmail, Apache Zero-Day Flaws
Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"
arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.
Considering that creating exploits and/or publishing them is considered a criminal offense in some jurisdictions, I wonder how many submissions they'll get. Especially when a good unknown exploit could be worth far more than 16,000.
Hax-fu?
Ummmm, try BIND.
BTW -- TFA says that IIS 6 hasn't had a single public remotely-exploitable hole. That means essentially nothing to me, because most serious 'hackers' aren't using public exploits.
My blog
Maybe there are people out there who already have more than one exploit for these and wouldn't mind trading one in for a legal source of quick cash. Who knows? 16k buys very a nice chunk of electronics for people who don't need the money for anything else.
Liberty.
From Anton Chuvakin's Blog:
...most scary cyber-criminal of the future is not a spammer, a scammer, a phisher or a pharmer, and not even a good ole "cracker" - it is an unethical software engineer, who changes the code slightly to introduce a weakness (or a full-blown backdoor or a logic bomb) and later uses or sells this knowledge
Here are the terms of the challenge -
* The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above
Ok, so you pick some of the oldest and most robust technologies around - things that have had a LOT of the bugs worked out of them already and things are you're not that likely to have to pay out on.
* The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
* 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge
So you eliminate any upcoming versions, but you forget to exclude the previous versions....
* The vulnerability must be original and not previously disclosed to any party
So if I've already informed the software maker, it's out, further reducing the likelihood of any kind of a payment having to be made.
* The vulnerability cannot be caused by or require any additional third party software installed on the target system
Reasonable, but...and this is a big but....many things are quite secure on their own, but not so much so when you actually start using them. Prime example, Apache. Apache on it's own is fine. Install one of the open source PHP web apps and then see how secure it is. How many people run Apache serving up hand coded HTML?
* The vulnerability must not require any social engineering
This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.
PHOOEY ON YOUR CHALLENGE
It would take me a lot of man hours to come up with something, more to code an exploit for it and by the time I'm done...I'd be better off financially if I had worked at Wal-Mart for those hours. $16,000 divided by 4 (people on my team) = $4000 each. Let's say we spend 5 weeks on this. That's 200 hours each. That works out to having a chance to get $20/hr. And frankly, I think that 200 hours each is pretty optimistic. We're talking about pouring over their code base, becoming familiar with it, and looking for places that we can try to break it. That's in excess of 89,000 lines of code just for Apache and more than another 70,000 for Sendmail. Then we have to load it up, write some code to test the exploit, and run it to see if works. If it doesn't on the first try, it's rinse and repeat until we give up on that possible exploit and try a different one.
I'm guessing that this is more of a publicity stunt than anything else. Anyone in the industry should know better. This has to be something that the marketing poohbah's have dreamed up. Just more marketing hype so that they can say, "We're more secure than those other guys. We ran our challenge and we didn't get anything. These apps are safe to use."
2 cents,
Queen B.
HDGary secures my bank
"Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?"
Neither. You auction it off to the highest bidding spamgang. Or so I've heard.
Beauty is in the eye of the beerholder.
Yes because we all know the public exploits just sitting out there are totally ignored by hackers in favour of the um non-public ones. Ummmm .... so ..... IIS must therefore be insecure because surely we can't say anything good about it here. I mean it's a piece of shit because we can hypothesize unstated scenarios about it.
I think it does means a lot to many people when a piece of software has never had a publicly exploitable hole.
i would imagine because it isn't a remote exploit to execute arbitrary code?
SQL injection doesn't have anything to do with PHP. You can create query ("DELETE FROM "+user_supplied_var) and run it in any language - PHP, ASP, ASP.NET, perl, etc. If you want to shoot yourself in the leg, noone will stop you.
PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself.
By 'serious hackers' I mean the ones who are truly dangerous because they know what they're doing, unlike 31337 skR1p7 k1dd13z and your run-of-the-mill botnet creator looking for nothing more than a big spam relay. Those who actually know what they're doing won't use publicly-announced holes because that would allow them to be caught more easily.
Put the fanboi attitude away and think about logically and you'll know what I'm talking about. This applies to all applications and operating systems, not just IIS or Microsoft's products.
My blog
Breaking DVD encryption is important for fair use IMHO, and I doubt the guys who have worked on this are completely motivated by saving money buying DVDs.
I like how the second result listed is actually trojan program that runs rm -rf /. There aren't any remote exploits for IIS6 which is a 4 year old product.
Have you ever been to a turkish prison?
But if you don't run the modules you don't use Apache doesn't use the resources those modules would require.
krenshala
Yes. Just like this would:
Or like this:
Comes to mind... That last one was used when some people I know from IRC cracked open one TV company's web site here in Finland.
But above examples doesn't work in IIS6/ASP.NET since framework doesn't let you shoot yourself in the foot so easily. ASP.NET checks input and prevents submitting suspicous data unless you specifically tell it to let it through. Also you would have to write something like 10 rows more code to compile and run code on-the-fly.
You don't know what you don't know.
What the fuck? Employee figures out way to save us $15 million. Employee parts with $1 million. Net savings: $14 million. So the company netted $14 million, and suddenly thinks this whole thing was a bad idea?
No comment.
The article summary itself states:
I laughed. From there...
- First guy responded with - "don't laugh. It's true. And don't go telling me about the public remotely exploitable bug that everyone knows about since that doesn't count"
- I responded with a link to a google search containing 695,000 results for IIS 6 exploits
- Second guy responded with - "The fact remains, IIS 6 has never had a remotely exploitable hole." - even though I had already plainly shown plenty
- I responded again - showing that guy #2 was obviously a MS zealout of some sort, and also feeling that there was already plenty of information in the thread about IIS 6 exploits
- Third guy responds with "You suck. And don't go looking to see if I'm an astroturfer. I'm anonymous." and "why not actually link to an IIS6 exploit meeting the stated criteria"
- Fourth guy jumps in "Answer his question"
- Then I again follow up by spelling out a long public remote IIS exploit, since 695,000 results just isn't enough.
- And here you jump in saying "that exploit isn't an exploit" when it plainly is
I stand by my laughter at the statement:If you don't think it's funny, fine. If you want to use IIS, fine. Do it at your own risk.
IIS 5 was so insecure that you could actually execute code on the host machine by simply accessing a URL - leaving the machine vulnerable even if you were just serving up static HTML files.
IIS 6 is so secure that an end user has to upload a file to execute code on the host machine, or they could just send a webDAV request and effectively remove the machine from service. If you call that secure, fine. You and I obviously have differing opinions.
Yes, IIS 6 is better than IIS 5. To purport that it is a SECURE platform that has never been exploited is just plain false.