Slashdot Mirror

← Back to Stories (view on slashdot.org)

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Posted by Zonk on from the step-right-up-rilly-big-shew dept.

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

11 of 173 comments (clear)

  1. start here! by wwmedia · · Score: 2, Interesting

    start here http://secunia.com/product/73/?task=advisories

  2. No, but... by TheSHAD0W · · Score: 3, Interesting

    It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.

  3. Re:IIS 6 by wwmedia · · Score: 2, Interesting

    now now no need to get nasty about IIS6 just beacause its a microsoft product!

    IIS6 is very good and new IIS7 is even better, also to note on all the 11 Suse dedicated servers i run i switched from Apache 2 to a lighter, less resource hoging alternative

    Btw IIS6 has less unpatched vulnerabilities than apache

    so there

  4. Free money by ThanatosMinor · · Score: 5, Interesting

    I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

    1. Leave subtle flaw in your code
    2. Share information with distant acquaintance
    3. Profit!

  5. Bidding war. by khasim · · Score: 2, Interesting

    Suppose you know an exploit in IIS or Exchange.

    Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?

  6. Is that legal? by HalAtWork · · Score: 2, Interesting

    Could I just offer up a $16,000 bounty as well? 'Cause there's plenty of money to be made with 0day flaws.

    Anyone can discover them, so it's plausible that two people can know the same flaw. So one party gets the flaw and gives the $16,000, then communicates the exploit to a third party who hacks in and gets trade secrets (or teh g0ld) and sells those, or whatever.

    --
    Twinstiq, game news
  7. Re:IIS 6 by TheRaven64 · · Score: 3, Interesting

    I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.

    --
    I am TheRaven on Soylent News
  8. Re:IIS 6 by Bishop · · Score: 5, Interesting

    Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.

  9. Re:Already in real life. by Bishop · · Score: 2, Interesting

    I can't speak to Scott Adam's story, but I do know of a large shop that thought a bug bounty like that was a good idea. A rising star in management with little technical knowledge but lots of new ideas thought that a bug bounty would be a good motivator for QA. Fortunately for the company the idea was squashed by a number of experienced software engineers before it was implemented.

    Along a similar vein one of the companies I worked for had an idea for spurring innovation and lateral thinking. The program was designed to find small improvements and cost savings on the production floor. The company offered a reward based on a percentage of the cost savings as well as a small gift. To give an idea of the expected cost savings the gifts ranged from golf shirts to pen sets with the company logo. Nothing fancy. This program worked well until an employee found a way to save 15 million dollars. The employee did receive the award but it was the last award paid. While it is nice of the company to offer incentives for new ideas, as this employee was an engineer it could easily be argued that it was his job to find 15 million dollars savings.

  10. Re:Tried Google? by Shados · · Score: 2, Interesting

    As pointed by many, the thing you showed isn't remotely exploitable. You need another mean of access to the machine, with freagin write access, to put code in a folder where it has script execute permission. Basically, you need a freagin account on the box. Not quite it.

  11. Re:IIS 6 by seizer · · Score: 2, Interesting

    Only if you keep your sessions in the same process as your application. ASP.NET supports keeping your session in another process (potentially on another machine) or in a database (slightly slower, but can survive server restarts etc). See http://www.eggheadcafe.com/articles/20021016.asp for a quick summary.

    You're correct about the application cache not surviving config changes, though typically this shouldn't be an issue as cache is only for convenience: users won't feel the difference if there's a cache miss, but they will feel the difference is the session is lost.