just incase you missed it

foodog plug-discuss@lists.PLUG.phoenix.az.us
Tue, 08 May 2001 13:23:53 -0700 

My $0.02.  I can understand posting Windows source code may be
inappropriate to a Linux list.  One could argue that posting exploit
code to the general discussion list could be considered misplaced.  I
don't, however, equate posting or possessing exploit code with being a
script kiddie, any more than owning or buying a rifle is the same as
being a sniper in a tower.

I considered it educational.  I read the source and had a brief snicker
that MS never learns their lessons.  Glancing at the 'sploit' data, the
large number of '0x90's (opcode for NOP) make it obvious that it's Yet
Another Buffer Overflow.  That MS would add a new internet service (the
printer thing, AFAIK it's IIS 5.0 only) and have that kind of error pass
through QC is incredible.

I'd suppose that the people who search out such holes just read the
What's New portion of the release notes to acquire their next target. 
By now, you *know* anything new is going to have huge embarrassing
security holes in it. 

MHO, FWIW it was an error but far from heinous.
Steve

Nigel Sollars wrote:
> 
> On Tue, 08 May 2001, you wrote:
> > In the interest of maintaining a professional list, and a professional
> > image, I would appreciate this type of posting not continue.  It has no
> > place here.  There are plenty of sites out there where we can get this
> > stuff if we were so inclined.  Highlighting Microsoft's inability to
> > patch the same overflow from one IIS version to the next does not
> > favorably promote Linux at all - in fact, it continues the negative
> > "Hacker OS" image that so many are working to overcome.
> >
> > Perhaps I'm showing my age, but I don't see how making some underpaid[1]
> > NT admin's life miserable by "0wning hiz b0x with a r00t wind0w" does
> > him any good.  Sure, he looks like a moron to his boss, and they'll
> > patch the OS (if they're lucky[2]), or pay some overpaid MCSE shyster to
> > do it for them.
> >
> > It also does not reflect well on you, as all you are doing is passing
> > on someone else's work, just like a script-kiddie.  This post would be
> > educational if you were to disassemble the embedded hex in unsigned
> > char sploit and discuss in detail how and why it works.  (Not simply
> > "it overruns the print buffer and sends me a console" - I got that much
> > from the SANS and Security Portal e-mails.)
> >
> > Anyone considering using this code might want to consider the
> > ramifications of the Computer Fraud and Abuse Act[3].  Personally, I
> > have more ambition than becoming Bubba's newest conquest.
> >
> > Yes, I was offended.
> >
> > George
> 
> Well well well
> 
> just for the record im no SkRiPT KidDiEE for 1
> 
> I was however at the Windows01 show in London last week promoting Linux to the
> masses there where the attitude was one of we need to get rid of Micro$haft
> 
> the post was purely one for fun and a cheap laugh ok so u may have been
> offended and the point is?
> 
> To be perfectly honest i found this one highly amuzing after the slagging the
> opensource community got from the MicroSoft bods about security
> 
> I guess if we refuse to acknowledge these sploits as ammo for the open source
> community then we should pack our bags and head for richmond.
> 
> Nige
> 
>  >
> >
> > References:
> > 1. SANS Salary Survey,
> > http://www.sans.org/newlook/publications/salary2000.htm, note 10.
> > 2.  Security Portal,
> > http://securityportal.com/articles/ntspseven20010507.html
> > 3.  Computer Fraud and Abuse Act, 18 U.S.C. § 1030