Slashdot Mirror

← Back to Stories (view on slashdot.org)

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Posted by Zonk on from the step-right-up-rilly-big-shew dept.

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

25 of 173 comments (clear)

  1. $16,000 by Anonymous Coward · · Score: 5, Insightful

    arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

    1. Re:$16,000 by Mr.+Underbridge · · Score: 4, Insightful

      arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

      Not only that, but I'm assuming that claiming the prize and the advertising that goes with it - advertising your skills, that is - is the more valuable part. I'm imagining that the type of person who could claim the prize is interested in doing this sort of thing anyway. The prize would be a nice cash reward and a fantastic thing to put on a resume.

    2. Re:$16,000 by Anonymous Coward · · Score: 4, Informative

      Indeed, $16K is exactly 2.5 times the annual salary I used to make when I worked as a software engineer in Egypt.

  2. Re:IIS and Exchange by ISwearNotmyPorn · · Score: 3, Funny

    If you want to talk easy money think Sendmail.

  3. No, but... by TheSHAD0W · · Score: 3, Interesting

    It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.

    1. Re:No, but... by Darlantan · · Score: 5, Funny

      Also, you may be able to collect multiple bounties from different organizations for the same hole.

      Yeah, but pimpin' ain't easy.

      --
      Fill in your four or five-letter word of wisdom here _ _ _ _ _.
  4. IIS 6 by Anonymous Coward · · Score: 5, Funny


    IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

    How can that be? IIS is crap! Slashdot tells me so!

    1. Re:IIS 6 by eln · · Score: 5, Funny

      No one has ever found a hole in it because no one has ever managed to keep it up and running for long enough to find one without it crashing first.

    2. Re:IIS 6 by Viraptor · · Score: 3, Informative

      > IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

      "Microsoft Internet Information Services ASP Code Buffer Overflow"
      http://secunia.com/advisories/21006/

      Software:
      - Microsoft Internet Information Services (IIS) 5.x
      - Microsoft Internet Information Services (IIS) 6

      Impact:
      - System access
      - Security Bypass

      Where:
      - From remote

      "hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever ;)

    3. Re:IIS 6 by EraserMouseMan · · Score: 4, Informative

      From your link, "Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."

      This is not a remotely exploitable bug. Nice try though.

    4. Re:IIS 6 by TheRaven64 · · Score: 3, Interesting

      I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.

      --
      I am TheRaven on Soylent News
    5. Re:IIS 6 by Bishop · · Score: 5, Interesting

      Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.

  5. Look at me, I'm a hacker by Anonymous Coward · · Score: 5, Funny

    $16000 is not worth the time to make the internet safer. Now stop bothering me while I spend my time trying to figure out how to save $15 by cracking DVDs. After that, I'm off to steal some music.

    1. Re:Look at me, I'm a hacker by int14 · · Score: 3, Insightful

      Breaking DVD encryption is important for fair use IMHO, and I doubt the guys who have worked on this are completely motivated by saving money buying DVDs.

  6. Entrapment? by Anarchysoft · · Score: 4, Insightful

    Considering that creating exploits and/or publishing them is considered a criminal offense in some jurisdictions, I wonder how many submissions they'll get. Especially when a good unknown exploit could be worth far more than 16,000.

    --
    Hax-fu?
  7. Not to mention ability to convert O2 to CO2... by Kadin2048 · · Score: 5, Funny

    Also, you may be able to collect multiple bounties from different organizations for the same hole.

    True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  8. Free money by ThanatosMinor · · Score: 5, Interesting

    I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

    1. Leave subtle flaw in your code
    2. Share information with distant acquaintance
    3. Profit!

    1. Re:Free money by Nos. · · Score: 3, Insightful

      From Anton Chuvakin's Blog:
      ...most scary cyber-criminal of the future is not a spammer, a scammer, a phisher or a pharmer, and not even a good ole "cracker" - it is an unethical software engineer, who changes the code slightly to introduce a weakness (or a full-blown backdoor or a logic bomb) and later uses or sells this knowledge

  9. Bragging All the Way to the Poor House by queenb**ch · · Score: 3, Insightful

    Here are the terms of the challenge -

    * The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above

    Ok, so you pick some of the oldest and most robust technologies around - things that have had a LOT of the bugs worked out of them already and things are you're not that likely to have to pay out on.

    * The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
    * 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge

    So you eliminate any upcoming versions, but you forget to exclude the previous versions....

    * The vulnerability must be original and not previously disclosed to any party

    So if I've already informed the software maker, it's out, further reducing the likelihood of any kind of a payment having to be made.

    * The vulnerability cannot be caused by or require any additional third party software installed on the target system

    Reasonable, but...and this is a big but....many things are quite secure on their own, but not so much so when you actually start using them. Prime example, Apache. Apache on it's own is fine. Install one of the open source PHP web apps and then see how secure it is. How many people run Apache serving up hand coded HTML?

    * The vulnerability must not require any social engineering

    This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.

    PHOOEY ON YOUR CHALLENGE

    It would take me a lot of man hours to come up with something, more to code an exploit for it and by the time I'm done...I'd be better off financially if I had worked at Wal-Mart for those hours. $16,000 divided by 4 (people on my team) = $4000 each. Let's say we spend 5 weeks on this. That's 200 hours each. That works out to having a chance to get $20/hr. And frankly, I think that 200 hours each is pretty optimistic. We're talking about pouring over their code base, becoming familiar with it, and looking for places that we can try to break it. That's in excess of 89,000 lines of code just for Apache and more than another 70,000 for Sendmail. Then we have to load it up, write some code to test the exploit, and run it to see if works. If it doesn't on the first try, it's rinse and repeat until we give up on that possible exploit and try a different one.

    I'm guessing that this is more of a publicity stunt than anything else. Anyone in the industry should know better. This has to be something that the marketing poohbah's have dreamed up. Just more marketing hype so that they can say, "We're more secure than those other guys. We ran our challenge and we didn't get anything. These apps are safe to use."

    2 cents,

    Queen B.

    --
    HDGary secures my bank :/
  10. Tried Google? by Anarchysoft · · Score: 3, Informative

    "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." That's funny. A quick search seems to reveal many!
    --
    Hax-fu?
    1. Re:Tried Google? by Anonymous Coward · · Score: 4, Funny

      Just to narrow it down, I redid your search with quotes and found 67. But the first one's a blast. It goes to the "w4ck1ng" forum where the thread goes...

      "Hello found this exploit: http://www.derkeiler.com/Mailing-Lis...5-04/0436.h tml I have compiled it. And when i run it under linux, it gives me this error! [cut for brevity] ./iis.exe: 3: Syntax error: word unexpected (expecting ")") Anyone ?"

      ...and the response goes:

      "you can not use exe files under unix y0u have to compile it with GCC..."

      I *think* IIS is safe from *this* guy...

  11. Re:Bidding war. by MarkGriz · · Score: 4, Insightful

    "Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?"

    Neither. You auction it off to the highest bidding spamgang. Or so I've heard.

    --
    Beauty is in the eye of the beerholder.
  12. Re:IIS and Exchange by icepick72 · · Score: 3, Insightful

    Yes because we all know the public exploits just sitting out there are totally ignored by hackers in favour of the um non-public ones. Ummmm .... so ..... IIS must therefore be insecure because surely we can't say anything good about it here. I mean it's a piece of shit because we can hypothesize unstated scenarios about it.
    I think it does means a lot to many people when a piece of software has never had a publicly exploitable hole.

  13. FYI by Slashcrap · · Score: 5, Funny

    I guess some people reading this may be more used to Windows and therefore not entirely familiar with the functionality of the Unix packages that were mentioned. Allow me to summarise :

    OpenSSH - A service you can install on a Unix system to enable remote admin access for known users.

    Sendmail - A service you can install on a Unix system to enable remote admin access for complete strangers.

    Hope this helps.....

  14. Re:Already in real life. by Phleg · · Score: 4, Insightful

    What the fuck? Employee figures out way to save us $15 million. Employee parts with $1 million. Net savings: $14 million. So the company netted $14 million, and suddenly thinks this whole thing was a bad idea?

    --
    No comment.