OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1997: underestimating crackers

underestimating crackers

Tim Newsham (newshamALOHA.NET)
Wed, 1 Oct 1997 10:02:32 -1000

I've noticed something frightening in recent advisories from
vendors and software writers:

In cisco's recent advisory about CHAP vulnerabilities:

>  Cisco is not aware of these vulnerabilities having been exploited by "system
>  crackers", nor of any publicly available exploitation code. Cisco does not
>  believe that the details of the vulnerabilities are widely understood in the
>  cracker community. The theoretical possibility of these vulnerabilities has,
>  however, been discussed fairly openly among PPP security professionals.

In samba's recent advisory about samba overflows:

> The exploit for the security hole is very architecture specific and
> has been only demonstrated to work for Samba servers running on Intel
> based platforms. The exploit posted to the internet is specific to
> Intel Linux servers. It would be very difficult to produce an exploit
> for other architectures but it may be possible.

I hope these beliefs that the cracking community is somehow technically
inept and incapable of keeping up with the literature and overcoming
simple obstacles is not widespread.  If it is, I can understand why
security is so poor and crackers are able to waltz through systems
so easily.  I'm afraid these people are in for a serious wake up call.
And the sooner, the better.

                                            Tim N.