[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: [LI] root access from old sendmail boxes

[replying to various posts]

Thus spake Atul Chitnis:

> Give you a chance to do what? Do you know how many script-kiddies are
> going to try out such "titbits" just for the heck now?

Only thing, most of the script kiddies and budding crackers [1] would
already have looked at the common sites - http://www.rootshell.com ,
http://www.cert.org , the BugTraq archives (posts from which, mirrored on
rootshell.com I quoted) etc etc.

[1] ~Not~ Hackers - Crackers are those who illegally break into systems

When $SoftWareMaker issues an alert re security holes, it's after -

1. It's been all over the hacker chat and newsgroups, followed by
more respectable places like bugtraq and /. (e&oe, slashdot ~is~ a bit
silly <g>)

2. $SoftwareMaker finds out, makes extensive tests and replicates the hack
at least once or twice

3. $SoftwareMaker patches the hole and releases an upgrade

[of course, some security holes are discovered and fixed internally,
before a hacker / bugtraq points it out to them]

> > Honestly, I would not have believed Mr. Suresh if he said "Sendmail 8.8.4
> > has a bug that crackers can exploit to gain r00t.", without giving the
> > details.

Which is why I posted it.  

> sense to understand that if there *is* a new version of sendmail out
> there, and dire warnings hanging all over the palce about old sendmail

and one more place - LI ;)

> Try this - go to Linux Weekly News, Linux Today or even SlashDot and see
> if they tell you in explicit detail how a crack can be achieved. They do

Try these - go to Bugtraq, Rootshell, CERT etc etc.  These are for network
security, Linux Today etc are, generally, for Linux.  So, they won't get
into too much detail about it, but link to the appropriate bugtraq post /
CERT advisory.

> Raj Mathur posts lots of security bulletins here. Have a loook at them -
> do they mention details? They do not, but the second he posts one here, we

Raju posts in detail, using the bounce command to forward bugfix reports
from debian-announce etc etc to LI.  When rms / aleph one or whoever has
posted the report says so, ~then~ you'll see this scramble.

When someone like poor old me stands out yelling about "security holes",
then there's a general feeling that I'm crying wolf.

Urmil Parikh:

> That's true. If you publish a crack openly, everybody can know it and
> protect their systems. Doesn't it give advantages similar to open source?

Indranil:

> In a perfect world it would.... however since we are not living in one
> such, revealing the inner details of an exploit is not always a very
> good thing....

There's nothing very "inner" about it, actually.  It's publicly available
(since the past 4 years) on sites regularly used by network security
people.  Script kiddie boards would give you something even further - say
cracks to break into redhat 6.1 (or whatever)

-- 
Suresh Ramasubramanian     | President, CAUCE India
r.suresh@xxxxxxxxxxxxxxx   | suresh@xxxxxxxxxxxxxxx
http://www.india.cauce.org | Stopping Spam In India
--
FORTH IF HONK THEN

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.