$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

IIS and Exchange

[Anonymous Coward]

Easy money....easy money.

hMMM

[multipartmixed]

Does it count if we "find" a "hole" in the current CVS snapshot?

Re:IIS and Exchange

[ISwearNotmyPorn]

If you want to talk easy money think Sendmail.

IIS 6

[Anonymous Coward]

IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

How can that be? IIS is crap! Slashdot tells me so!

Look at me, I'm a hacker

[Anonymous Coward]

$16000 is not worth the time to make the internet safer. Now stop bothering me while I spend my time trying to figure out how to save $15 by cracking DVDs. After that, I'm off to steal some music.

Re:IIS 6

[eln]

No one has ever found a hole in it because no one has ever managed to keep it up and running for long enough to find one without it crashing first.

Not to mention ability to convert O2 to CO2...

[Kadin2048]

Also, you may be able to collect multiple bounties from different organizations for the same hole.

True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

Re:Exchange

[DrLov3]

Pfff.... Ms. Echange ....

No need to find a flaw, Ms exchange will crash on it's own. :P

Re:Not to mention ability to convert O2 to CO2...

[peragrin]

>>True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

I didn't sign an NDA when i started working for the..... Oh high Vladmir, what are you doing he.....

Re:No, but...

[Darlantan]

Also, you may be able to collect multiple bounties from different organizations for the same hole.

Yeah, but pimpin' ain't easy.

Re:Tried Google?

[Anonymous Coward]

Just to narrow it down, I redid your search with quotes and found 67. But the first one's a blast. It goes to the "w4ck1ng" forum where the thread goes...

"Hello found this exploit: http://www.derkeiler.com/Mailing-Lis...5-04/0436.h tml [derkeiler.com] I have compiled it. And when i run it under linux, it gives me this error! [cut for brevity] ./iis.exe: 3: Syntax error: word unexpected (expecting ")") Anyone ?"

...and the response goes:

"you can not use exe files under unix y0u have to compile it with GCC..."

I *think* IIS is safe from *this* guy...

FYI

[Slashcrap]

I guess some people reading this may be more used to Windows and therefore not entirely familiar with the functionality of the Unix packages that were mentioned. Allow me to summarise :

OpenSSH - A service you can install on a Unix system to enable remote admin access for known users.

Sendmail - A service you can install on a Unix system to enable remote admin access for complete strangers.

Hope this helps.....

Re:$16,000

[networkBoy]

Well I have one exploit for each platform.
It is remote, and it is foolproof.
I want the money.
-nB

The exploit is to take the admins family hostage, demanding whatever code you want to be run in exchange for the family's safety.
Since you are using a phone to control the admin it is a remote exploit.
Have a nice day.

$16k

[Anonymous Coward]

money is the source of all evil code ... wait ... or is it the other way round?