> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, October 20, 2003 3:44 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Full-Disclosure] No Subject > > I think you misinterpreted my argumentation. In my eyes > anyone who is not independently capable of verifying > the exploitability, or atleast devising the theory > behind possible exploitation, of the ossh nul overflow > is a "script kiddie". As you so aptly put it. > So there's the 1% l33ts like you, and then there's the 99% of the human populace that has other things to do besides squirrel around with code. I get it.
> Now if you're somewhat at home in heap mismanagement bugs > you should know that this issue, provided you have a > favourable heap layout (hooray for memory leaks), > is exploitable on atleast > Linux. That's as far as I'll go. Remember apache? One > man's DoS is another man's remote. For god's sake even > ISS believes the issue to be exploitable. And Duke may > be alot of things, stupid he is not. (ok so maybe that's > up for debate, hi Mark!) As far as the PAM issue goes, > that's fucking trivial. I learned in high school (which was a long long time ago) that there are those that say they can do something, and then there are those who don't say anything but do a lot. You appear to fall into the first category based on your ramblings. > > Now at the end of the day it's neither my duty nor my desire > to release anything. I don't owe you shit. And I'm not about > to post something that took alot of research just to make a > moot point. Any admin who did not patch their servers using > "oh it's just a DoS" as justification should be fired on the > spot. Again, and this is getting tiresome, a bug was > recognised to be a security issue. Security issues get a > priority to patch. It'd be a different story if it wasn't > published as being a security issue. > Once again, another clueless code monkey who "admins" a network of one. I'm not impressed. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
