Slashdot Mirror
$16,000 Bounty for Sendmail, Apache Zero-Day Flaws
Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"
start here http://secunia.com/product/73/?task=advisories
It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.
now now no need to get nasty about IIS6 just beacause its a microsoft product!
IIS6 is very good and new IIS7 is even better, also to note on all the 11 Suse dedicated servers i run i switched from Apache 2 to a lighter, less resource hoging alternative
Btw IIS6 has less unpatched vulnerabilities than apache
so there
I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.
1. Leave subtle flaw in your code
2. Share information with distant acquaintance
3. Profit!
Suppose you know an exploit in IIS or Exchange.
... or do you see what Microsoft will pay you NOT to sell it to them?
Do you sell it to those guys for $16K
Could I just offer up a $16,000 bounty as well? 'Cause there's plenty of money to be made with 0day flaws.
Anyone can discover them, so it's plausible that two people can know the same flaw. So one party gets the flaw and gives the $16,000, then communicates the exploit to a third party who hacks in and gets trade secrets (or teh g0ld) and sells those, or whatever.
Twinstiq, game news
I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.
I am TheRaven on Soylent News
Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.
I can't speak to Scott Adam's story, but I do know of a large shop that thought a bug bounty like that was a good idea. A rising star in management with little technical knowledge but lots of new ideas thought that a bug bounty would be a good motivator for QA. Fortunately for the company the idea was squashed by a number of experienced software engineers before it was implemented.
Along a similar vein one of the companies I worked for had an idea for spurring innovation and lateral thinking. The program was designed to find small improvements and cost savings on the production floor. The company offered a reward based on a percentage of the cost savings as well as a small gift. To give an idea of the expected cost savings the gifts ranged from golf shirts to pen sets with the company logo. Nothing fancy. This program worked well until an employee found a way to save 15 million dollars. The employee did receive the award but it was the last award paid. While it is nice of the company to offer incentives for new ideas, as this employee was an engineer it could easily be argued that it was his job to find 15 million dollars savings.
As pointed by many, the thing you showed isn't remotely exploitable. You need another mean of access to the machine, with freagin write access, to put code in a folder where it has script execute permission. Basically, you need a freagin account on the box. Not quite it.
...but my opinions are purely my own and I speak for myself, not my employer.
y _Services_Tours_&_Demos/security-threat-video.html shows one way that this intelligence is used.
:)
Anyone "in the industry" already knows about iDefense and their Vulnerability Contribution Program, so you obviously are not. iDefense isn't the only company that posts challenges or pays for vulnerabilities. Perhaps you should read up at http://labs.idefense.com/vcp/
It is not a marketing ploy or publicity stunt. The iDefense business is about selling internet intelligence, not pushing anyones software. This is an initiative to discover critical vulnerabilities in those applications so that they can be patched. Nothing more. If you believe that BlackHats aren't already looking for vulnerabilities in those applications then you need to get a clue stick and start whacking yourself over the head with it. The VCP gives WhiteHats (and GreyHats) incentive to find them first, so that they can be dealt with responsibly rather than end up a zero-day exploit.
The applications chosen are old and considered robust. That's why they form the backbone of the internet in the first place. And also why a critical bug in them could bring the internet to its knees. Any QA engineer worth their salt will tell you that the first place to look for a bug is in software that has shown itself to be buggy - and that applies at whatever level you want to consider - block, function, class, library, application or suite. sendmail anyone? Bind? If you believe that there are no more bugs to be found then you are likely mistaken. I think iDefense will (gladly) pay out on more than one of these applications during this challenge.
The terms to the challenge are fairly standard and non-onerous, and I think you're reading too much into them. The version restriction is purely because no-one is interested in vulnerabilities in Apache 1.4, nor IIS 5 anymore. The additional software clause is again non-onerous. Your example isn't valid as a vulnerability in e.g. vBulletin would be a vulnerability in vBulletin, not a vulnerability in apache itself. Now if you could make a well configured mod_php fall over and clobber the box without requiring badly written php pages installed, then I think they'd be interested in that. The term about having not previously reported it is so that the vulnerability can be labelled iDefense-exclusive, adding value to the intelligence report.
Ask yourself where the iDefense business model is if there were no vulnerabilities in any software. The entire business is built on the premise that there are vulnerabilities and that there are customers willing to pay for intelligence reports about them, and vendors willing to receive notifications about them. iDefense would love to pay out on all of those prizes.
iDefense do not sell any software, so there is no reason to say "We're more secure than those other guys". They sell actionable internet intelligence. http://www.verisign.com/Resources/Managed_Securit
Frankly, maybe you should stick to Walmart as you don't seem to know much about the internet security business. I doubt that you could make a living in it. You should get your patch installed..
(BTW - for all the slashdot VeriSign haters out there - after over a decade in the workforce with multiple employers, I can honestly say that I have never worked for a company so committed to helping customers solve problems. Every engineer I work with is dedicated to making the internet a better, faster, safer internet, and I work among extremely smart people who have respect, integrity and drive.
So the company implemented a RFC1034- and RFC1035- compliant service a few years back before pulling it after customer feedback. Get over it already.)
Only if you keep your sessions in the same process as your application. ASP.NET supports keeping your session in another process (potentially on another machine) or in a database (slightly slower, but can survive server restarts etc). See http://www.eggheadcafe.com/articles/20021016.asp for a quick summary.
You're correct about the application cache not surviving config changes, though typically this shouldn't be an issue as cache is only for convenience: users won't feel the difference if there's a cache miss, but they will feel the difference is the session is lost.
This is just another marketing ploy by Big MaMa Verisign.
Someone should offer $20K for Verisign vulnerabilities since iDefense cant publish those.
Just as a hint, start your research with Verisign PKI and focus on sophia.exe.
so next time you see sophia.exe in your browser cache....open it up and view in notepad.
WOW, there is my username and password cched to my browser in a hidden field.
Trust me, there are alot more exploits then that.