Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Posted by Zonk on Fri May 18, 2007 03:05 PM
from the step-right-up-rilly-big-shew dept.
Security Software The Almighty Buck Apache
Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"
+ -
story

Related Stories

[+] Mac Developer Mulls Zero-day Security Response 94 comments
1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."
[+] News: $25M Bounty Offered for Global Warming Fix 766 comments
SaDan writes "Richard Branson is offering $25M as a bounty for a fix to global warming. The person or organization that can devise a method to remove at least a billion tons of carbon dioxide a year from the atmosphere will be able to claim the bounty. There are a few catches, of course. There can't be any negative impact on the environment, and the payment will come in chunks. A 5 million dollar payout will be paid when the system is put into place with the remainder of the bounty to be paid after 10 years of continuous use."
[+] MacBook Hacked In Contest Via Zero-Day Hole in Safari 156 comments
EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • $16,000 (Score:5, Insightful)

    by Anonymous Coward on Friday May 18 2007, @03:08PM (#19182967)
    arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

    • Re:$16,000 (Score:5, Insightful)

      by Mr. Underbridge (666784) on Friday May 18 2007, @03:17PM (#19183089)

      arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

      Not only that, but I'm assuming that claiming the prize and the advertising that goes with it - advertising your skills, that is - is the more valuable part. I'm imagining that the type of person who could claim the prize is interested in doing this sort of thing anyway. The prize would be a nice cash reward and a fantastic thing to put on a resume.

    • Bidding war. (Score:3, Interesting)

      by khasim (1285)
      Suppose you know an exploit in IIS or Exchange.

      Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?

      • Re:Bidding war. (Score:5, Insightful)

        by MarkGriz (520778) on Friday May 18 2007, @04:02PM (#19183767)
        "Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?"

        Neither. You auction it off to the highest bidding spamgang. Or so I've heard.

    • Re:$16,000 (Score:4, Informative)

      by Anonymous Coward on Friday May 18 2007, @03:38PM (#19183371)
      Indeed, $16K is exactly 2.5 times the annual salary I used to make when I worked as a software engineer in Egypt.

  • hMMM (Score:3, Funny)

    by multipart/mixed (163409) on Friday May 18 2007, @03:08PM (#19182969)
    Does it count if we "find" a "hole" in the current CVS snapshot?

  • No, but... (Score:4, Interesting)

    by TheSHAD0W (258774) on Friday May 18 2007, @03:09PM (#19182985) Homepage
    It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.

  • IIS 6 (Score:5, Funny)

    by Anonymous Coward on Friday May 18 2007, @03:10PM (#19183005)

    IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

    How can that be? IIS is crap! Slashdot tells me so!

    • Re:IIS 6 (Score:5, Funny)

      by eln (21727) on Friday May 18 2007, @03:14PM (#19183053) Homepage
      No one has ever found a hole in it because no one has ever managed to keep it up and running for long enough to find one without it crashing first.

          • Re:IIS 6 (Score:4, Interesting)

            by TheRaven64 (641858) on Friday May 18 2007, @04:24PM (#19184135) Homepage Journal
            I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.

            • Re:IIS 6 (Score:5, Interesting)

              by Bishop (4500) on Friday May 18 2007, @04:48PM (#19184471)
              Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.

    • Re: (Score:3, Informative)

      by Viraptor (898832)
      > IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

      "Microsoft Internet Information Services ASP Code Buffer Overflow"
      http://secunia.com/advisories/21006/ [secunia.com]

      Software:
      - Microsoft Internet Information Services (IIS) 5.x
      - Microsoft Internet Information Services (IIS) 6

      Impact:
      - System access
      - Security Bypass

      Where:
      - From remote

      "hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever ;)

      • Re:IIS 6 (Score:5, Informative)

        by EraserMouseMan (847479) on Friday May 18 2007, @03:33PM (#19183307)
        From your link, "Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."

        This is not a remotely exploitable bug. Nice try though.

  • Look at me, I'm a hacker (Score:5, Funny)

    by Anonymous Coward on Friday May 18 2007, @03:11PM (#19183023)
    $16000 is not worth the time to make the internet safer. Now stop bothering me while I spend my time trying to figure out how to save $15 by cracking DVDs. After that, I'm off to steal some music.

  • Entrapment? (Score:5, Insightful)

    by Anarchysoft (1100393) <anarchy@@@anarchysoft...com> on Friday May 18 2007, @03:13PM (#19183035) Homepage
    Considering that creating exploits and/or publishing them is considered a criminal offense in some jurisdictions, I wonder how many submissions they'll get. Especially when a good unknown exploit could be worth far more than 16,000.

  • Free money (Score:5, Interesting)

    by ThanatosMinor (1046978) on Friday May 18 2007, @03:26PM (#19183201)
    I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

    1. Leave subtle flaw in your code
    2. Share information with distant acquaintance
    3. Profit!

  • maybe someone has already done the work (Score:3, Insightful)

    by 7-Vodka (195504) on Friday May 18 2007, @03:33PM (#19183297) Journal

    ...arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.

    Maybe there are people out there who already have more than one exploit for these and wouldn't mind trading one in for a legal source of quick cash. Who knows? 16k buys very a nice chunk of electronics for people who don't need the money for anything else.

  • FYI (Score:5, Funny)

    by Slashcrap (869349) on Friday May 18 2007, @04:44PM (#19184411)
    I guess some people reading this may be more used to Windows and therefore not entirely familiar with the functionality of the Unix packages that were mentioned. Allow me to summarise :

    OpenSSH - A service you can install on a Unix system to enable remote admin access for known users.

    Sendmail - A service you can install on a Unix system to enable remote admin access for complete strangers.

    Hope this helps.....
    • If you want to talk easy money think Sendmail.
      • Ummmm, try BIND.

        BTW -- TFA says that IIS 6 hasn't had a single public remotely-exploitable hole. That means essentially nothing to me, because most serious 'hackers' aren't using public exploits.

        • Re:IIS and Exchange (Score:4, Insightful)

          by icepick72 (834363) on Friday May 18 2007, @04:15PM (#19183999)
          Yes because we all know the public exploits just sitting out there are totally ignored by hackers in favour of the um non-public ones. Ummmm .... so ..... IIS must therefore be insecure because surely we can't say anything good about it here. I mean it's a piece of shit because we can hypothesize unstated scenarios about it.
          I think it does means a lot to many people when a piece of software has never had a publicly exploitable hole.

    • Re:Tried Google? (Score:4, Funny)

      by Anonymous Coward on Friday May 18 2007, @04:14PM (#19183963)

      Just to narrow it down, I redid your search with quotes and found 67. But the first one's a blast. It goes to the "w4ck1ng" forum where the thread goes...

      "Hello found this exploit: http://www.derkeiler.com/Mailing-Lis...5-04/0436.h tml [derkeiler.com] I have compiled it. And when i run it under linux, it gives me this error! [cut for brevity] ./iis.exe: 3: Syntax error: word unexpected (expecting ")") Anyone ?"

      ...and the response goes:

      "you can not use exe files under unix y0u have to compile it with GCC..."

      I *think* IIS is safe from *this* guy...

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.