$16,000 Bounty for Sendmail, Apache Zero-Day Flaws 173
Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"
$16,000 (Score:5, Insightful)
Entrapment? (Score:5, Insightful)
Re:$16,000 (Score:5, Insightful)
arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.
Not only that, but I'm assuming that claiming the prize and the advertising that goes with it - advertising your skills, that is - is the more valuable part. I'm imagining that the type of person who could claim the prize is interested in doing this sort of thing anyway. The prize would be a nice cash reward and a fantastic thing to put on a resume.
Re:IIS and Exchange (Score:3, Insightful)
BTW -- TFA says that IIS 6 hasn't had a single public remotely-exploitable hole. That means essentially nothing to me, because most serious 'hackers' aren't using public exploits.
maybe someone has already done the work (Score:3, Insightful)
Maybe there are people out there who already have more than one exploit for these and wouldn't mind trading one in for a legal source of quick cash. Who knows? 16k buys very a nice chunk of electronics for people who don't need the money for anything else.
Re:Free money (Score:3, Insightful)
From Anton Chuvakin's Blog [blogspot.com]:
...most scary cyber-criminal of the future is not a spammer, a scammer, a phisher or a pharmer, and not even a good ole "cracker" - it is an unethical software engineer, who changes the code slightly to introduce a weakness (or a full-blown backdoor or a logic bomb) and later uses or sells this knowledge
Bragging All the Way to the Poor House (Score:3, Insightful)
Here are the terms of the challenge -
* The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above
Ok, so you pick some of the oldest and most robust technologies around - things that have had a LOT of the bugs worked out of them already and things are you're not that likely to have to pay out on.
* The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
* 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge
So you eliminate any upcoming versions, but you forget to exclude the previous versions....
* The vulnerability must be original and not previously disclosed to any party
So if I've already informed the software maker, it's out, further reducing the likelihood of any kind of a payment having to be made.
* The vulnerability cannot be caused by or require any additional third party software installed on the target system
Reasonable, but...and this is a big but....many things are quite secure on their own, but not so much so when you actually start using them. Prime example, Apache. Apache on it's own is fine. Install one of the open source PHP web apps and then see how secure it is. How many people run Apache serving up hand coded HTML?
* The vulnerability must not require any social engineering
This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.
PHOOEY ON YOUR CHALLENGE
It would take me a lot of man hours to come up with something, more to code an exploit for it and by the time I'm done...I'd be better off financially if I had worked at Wal-Mart for those hours. $16,000 divided by 4 (people on my team) = $4000 each. Let's say we spend 5 weeks on this. That's 200 hours each. That works out to having a chance to get $20/hr. And frankly, I think that 200 hours each is pretty optimistic. We're talking about pouring over their code base, becoming familiar with it, and looking for places that we can try to break it. That's in excess of 89,000 lines of code just for Apache and more than another 70,000 for Sendmail. Then we have to load it up, write some code to test the exploit, and run it to see if works. If it doesn't on the first try, it's rinse and repeat until we give up on that possible exploit and try a different one.
I'm guessing that this is more of a publicity stunt than anything else. Anyone in the industry should know better. This has to be something that the marketing poohbah's have dreamed up. Just more marketing hype so that they can say, "We're more secure than those other guys. We ran our challenge and we didn't get anything. These apps are safe to use."
2 cents,
Queen B.
Re:Bidding war. (Score:5, Insightful)
Neither. You auction it off to the highest bidding spamgang. Or so I've heard.
Re:IIS and Exchange (Score:4, Insightful)
I think it does means a lot to many people when a piece of software has never had a publicly exploitable hole.
Re:IIS and Exchange (Score:1, Insightful)
Re:IIS 6 (Score:2, Insightful)
PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself.
Re:IIS and Exchange (Score:2, Insightful)
Put the fanboi attitude away and think about logically and you'll know what I'm talking about. This applies to all applications and operating systems, not just IIS or Microsoft's products.
Re:Look at me, I'm a hacker (Score:3, Insightful)
Re:Tried Google? (Score:3, Insightful)
Re:IIS 6 (Score:2, Insightful)
Re:Tried Google? (Score:2, Insightful)
Yes. Just like this would:
Or like this:
Comes to mind... That last one was used when some people I know from IRC cracked open one TV company's web site here in Finland.
But above examples doesn't work in IIS6/ASP.NET since framework doesn't let you shoot yourself in the foot so easily. ASP.NET checks input and prevents submitting suspicous data unless you specifically tell it to let it through. Also you would have to write something like 10 rows more code to compile and run code on-the-fly.
Re:Already in real life. (Score:5, Insightful)
Re:Alrighty Then (Score:3, Insightful)
The article summary itself states:
I laughed. From there...
If you don't think it's funny, fine. If you want to use IIS, fine. Do it at your own risk.
IIS 5 was so insecure that you could actually execute code on the host machine by simply accessing a URL - leaving the machine vulnerable even if you were just serving up static HTML files.
IIS 6 is so secure that an end user has to upload a file to execute code on the host machine, or they could just send a webDAV request and effectively remove the machine from service. If you call that secure, fine. You and I obviously have differing opinions.
Yes, IIS 6 is better than IIS 5. To purport that it is a SECURE platform that has never been exploited is just plain false.