Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Exploits, copyright, and disclosure

By nevauene in Internet
Fri Aug 24, 2001 at 08:08:48 PM EST
Tags: Round Table (all tags)
Round Table

On July 18, 2001 TESO Security Group released an advisory about a buffer overflow in most unix telnet daemons (all those derived from BSD telnetd code, including the linux netkit-telnetd). It turns out that TESO had been researching the vulnerability for several months, and had built a working BSD exploit in-house. But somehow this private exploit ended up in the hands of script-kiddies prior to the release of the advisory, and so began a strange story of damage control, copyright dispute, and the old full-disclosure debate.


The bug was an obscure one - a buffer overflow that could only be triggered by using a combination of options, with AYT (Are You There) packets being the linchpin. This bug allowed for only a very limited set of characters to be pushed out of bounds - managing to do something useful, such as get shellcode in there, would be far from trivial, and impossible on some architectures. Certainly not script-kiddie stuff. TESO's advisory wrote, under the heading "Exploit", "Not this time. Not here." An unusual choice for a group usually happy to toss "script-kiddie friendly" exploits out into the wild to apply pressure on vendors.

However, TESO's own exploit had mysteriously found it's way into the underground quite awhile before the advisory was released. TESO has not been very clear about what happened here, only stating that it was 'stolen' from their network.

The shit started to hit the fan immediately, and BSD admins (with the exception of OpenBSD, which compiled telnetd with different options, thus evading the wrath of the vanilla exploit) daft enough to still be exposing telnetd to the outside world instead of more secure alternatives were promptly owned. TESO released their advisory in an apparent panic, urging admins to disable telnetd altogether.

Others started to examine the problem, and soon exploits had been written for Linux (all netkit versions of telnetd prior to 0.17 being vulnerable) and Tru-64. [In the case of Linux, Debian was partially protected due to telnetd being run as user 'telnetd' rather than root.] Probably as I write this there are still systems getting owned, since we all know how much attention most admins pay to such security issues, and how quickly they patch their systems.

But things got weird on July 24th. Someone posted TESO's telnetd exploit to BugTraq. scut of TESO quickly replied, saying:
Although a lot of Bugtraq readers might not agree with me here, I think there is a right under which I can deny the disclosure of this source code. Call it privacy, call it copyright, I do not care about its name.
The exploit's code had explicitly stated:
The contents of these coded instructions, statements and computer programs may not be disclosed to third parties, copied or duplicated in any form, in whole or in part, without the prior written permission of TESO Security. This includes especially the Bugtraq mailing list, the www.hack.co.za website and any public exploit archive.


BugTraq moderator Elias Levy agreed and apologized, deleting the exploit code from the list archives. But others spoke up to question whether any such claim of copyright could be considered valid given that this is, after all, an exploit, it's own legality resting in a grey area. "You fucked up, it's in the wild," some seemed to be saying, "Now it's ours to research". Indeed this seems quite reasonable to me. TESO may claim that they were trying to prevent further spreading of the exploit, that they were trying to limit the damage caused by it, but the case for this is pretty flimsy. It is already all over the underground, and this author had not too much trouble finding it for himself. The only people TESO managed to keep away from it were admins subscribing to security lists - the script kiddies already had it. This in itself is a little strange. The details are few and far between, but it is highly unlikely, to say the least, that script-kiddies rooted Team TESO's systems and stole the sploit from their network remotely. Something else happened here, and TESO won't say. Instead they chose to threaten SecurityFocus with a lawsuit.

Given how many systems out there were affected, it seems reasonable and responsible that TESO should have went the partial-disclosure route, at least at first - let the vendors patch their daemons, give the security-conscious admins out there a chance to update, then let the shit fly. But in this case something much stranger went on here, this process essentially went on in reverse. TESO incompetence let the exploit out into the wild before anyone even knew of the bug, and even after that they chose to go the partial-disclosure route, going so far as to make utterly absurd legal threats to keep the exploit hidden. Hidden from the admins reading BugTraq that is....

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o TESO Security Group
o advisory
o more secure alternatives
o Debian
o scut
o replied
o a lawsuit
o Also by nevauene


Display: Sort:
Exploits, copyright, and disclosure | 16 comments (16 topical, editorial, 0 hidden)
I missed this ... (2.75 / 4) (#1)
by joegee on Fri Aug 24, 2001 at 05:06:31 PM EST

My provider was having email problems and all of my Bugtraq emails from the weekend bounced. Thanks for the info.

On the editorial side, this is a well-written, informative article with a bit of judicious op-ed thrown in for good measure. +1 FP from me.

Thanks again for the heads up,

-Joe G.

<sig>I always learn something on K5, sometimes in spite of myself.</sig>
you realize that (2.66 / 3) (#6)
by cicero on Fri Aug 24, 2001 at 08:53:25 PM EST

this was from like a month ago, right?


--
I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.
[ Parent ]
I plead functional idiocy ... (NT) (none / 0) (#11)
by joegee on Sat Aug 25, 2001 at 05:49:41 PM EST



<sig>I always learn something on K5, sometimes in spite of myself.</sig>
[ Parent ]
no problem, (3.00 / 2) (#13)
by cicero on Sun Aug 26, 2001 at 04:11:33 AM EST

I just wanted to make sure you weren't thinking that this was 0 day info.


--
I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.
[ Parent ]
Thanks, actually ... (none / 0) (#14)
by joegee on Sun Aug 26, 2001 at 01:26:18 PM EST

for some reason I read 7/24 as 8/24.

Non-functional literacy is a problem in today's world. :)

<sig>I always learn something on K5, sometimes in spite of myself.</sig>
[ Parent ]
copyright (4.00 / 2) (#2)
by Delirium on Fri Aug 24, 2001 at 06:23:37 PM EST

While your arguments about what TESO should have done seem valid, I think it's still pretty clear that they don't have to release the code, or allow its dissemination, if they do not wish to. It's copyrighted code, and thus theirs to license as they wish. You mention that the code itself is of questionable legality, but if it is in fact illegal, that would only make disseminating it more illegal, not less.

Well, maybe not (none / 0) (#8)
by baptiste on Sat Aug 25, 2001 at 06:01:32 AM EST

Like the linked article said, TESO may not have had hte right to copyright their exploit since it was a derived work - something only the copyright holder can legally do (depending on the license, etc)

Regardless, this whole thing sounds really fishy to me. Personally, I'm tired of exploits being held back. It just allows admins to get lazier - maybe if they knew exploits would be released on Bugtraq all teh time they'd get more vigilant!
--
Top Substitutions For 'Under God' In The Pledge Of Allegiance
[ Parent ]

Whoops - typo (none / 0) (#16)
by baptiste on Mon Aug 27, 2001 at 11:20:05 AM EST

TESO may not have had the right to copyright their exploit since it was a derived work

Sometimes my brain thinks faster than I can type. I meant to say IF it was a derived work. My bad... Apologies to TESO et al.
--
Top Substitutions For 'Under God' In The Pledge Of Allegiance
[ Parent ]

Typical (3.50 / 4) (#3)
by RangerBob on Fri Aug 24, 2001 at 06:33:11 PM EST

Yet again, people are more concerned about themselves than copyright laws. Since most other countries seem to be considering DMCA crud, I guess the only real way to escape the madness is to find another planet :)

Oops! (3.33 / 3) (#4)
by RangerBob on Fri Aug 24, 2001 at 06:34:13 PM EST

Should have said more concerned about themselves than the public good.

[ Parent ]
interesting article (1.50 / 2) (#5)
by yesterdays children on Fri Aug 24, 2001 at 06:38:55 PM EST

Is the exploit really important tho? For your standard unchecked buffer, isn't it enough to just fix the overflow? Why is research needed on how to exploit?

An asside, how many bytes do you need to get a remote shell going on bsd for instance?

For testing... (3.00 / 1) (#9)
by baptiste on Sat Aug 25, 2001 at 06:11:22 AM EST

Exploits are like hardware the US gov't limits exports on - dual use - can be used for good and bad :)

Many security teams worth their salt will test exploit fixes with the exploits themselves. Sure, there is a good chance a given patch fixed the problem, but maybe not on your platform, etc. Having an exploit available means you can test your system to see if it handles the patch and fixes the problem. Like it our not, security engineers need to be borderline hackers anyway - just monitoring hte security lists isn't enough - then you're just play catchup. So on that not e- exploits serve to educate security techs on how these things work so they may be able to do their own analysis on other problems.

I for one tend to feel that exploits should be released for vulnerabilities no more than a week or tow after the vulnerability is announced. This situation just proves how witholding an exploit can blow up in your face. Here's why:

Vulnerability is announced and says 'no known exploit is in teh wild' OK - you add it to your to do list - but its medium priority since nobody should be able to get in... Then somehow the exploit originaly developed to find the problem slips out into the wild and bang - you're owned. Sure you SHOULD have applied the patch right awya - but any sexpert admin is already loaded down with so much stuff that needs to be done 'RIGHT NOW' its hard to keep up. In an ideal world we'd all have enough time to apply every patch as soon as it comes out - but corporate IT budgeting just doesn't work that way and IT staff are always overloaded. When your manager comes screaming about exec XYZ not getting his windows password reset and you say 'But I was patchign all our servers to fix this potential problem that can't be exploited yet' you're in deep shit.

The only way to convince the suits that patching and security shoudl get higher billing in the priority list is to have exploits readily avialable.

I'm not saying this is the only reason - I think its important that other security gurus see teh exploit to see if a light bulb goes off and says - hey this could also be used to do x, y, z and more problems get solved.
--
Top Substitutions For 'Under God' In The Pledge Of Allegiance
[ Parent ]

Actions are suspect... (3.33 / 3) (#7)
by Dirac Tesseract on Fri Aug 24, 2001 at 09:29:44 PM EST

What I would like to know is, why would a group like TESO be researching or storing exploits on systems that are on the Internet? I'm not talking about a small in-house network, obviously it would be difficult to figure out network exploits if you aren't on a private network or something... but why is it that this system was open to the world (which would be TESO's given scenerio, by their claims of it being "stolen")?

See, if the exploit-research system _wasn't_ open to the world (for security purposes), then we know for certain that someone transferred it by a means other than on a network (like by floppy or other media transfer). This would thus mean that someone in-house (it would likely be an individual, as coordinated efforts are anything but) did in fact release the exploit to the script kiddies. Inversely, if this system was open to the Internet at large, then the situation is somewhat more insidious - It baffles my mind that a research group would leave an obvious point of failure like this in their security, which seems to mean that they either didn't care, or they wanted it to get out.

Comforting as it would be to think that the TESO researchers just did something incompetent, I honestly don't think so. These guys are supposed to be professionals, if not in security, then at least in security research. This shouldn't have happened, and IMHO someone or someones definitely did it on purpose.

Personally, given the nature of the exploit in question, I wouldn't be too surprised to find that they did this as a means of LARTing Admins who leave their telnet servers open (or use telnet at all). Unfortunately, it is often not the job of the Admin to set policy, but rather to implement it.


Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"
Very much so. (5.00 / 2) (#10)
by nevauene on Sat Aug 25, 2001 at 06:29:32 AM EST

Comforting as it would be to think that the TESO researchers just did something incompetent, I honestly don't think so.

I agree. I was being diplomatic in referring to it as incompetence. It seems pretty clear, considering TESO's silence about the actual 'theft' of the exploit while shouting loudly about copyright violation, that someone inside intentionally released the exploit to the script-kiddie hordes.


There is no K5 Cabal.
[ Parent ]
one step solution (3.25 / 4) (#12)
by kimodo on Sun Aug 26, 2001 at 02:00:37 AM EST

the telnet daemon should be outlawed, and an amendment to the constitution should be added banning the telnet daemon so our future generations will not have to be subject to its many flaws.

My thoughts (1.00 / 2) (#15)
by zedisdead on Mon Aug 27, 2001 at 08:01:07 AM EST

> Teso has not been very clear about what happened here, only stating that it was 'stolen' from their network. I think that's very clear. If you don't believe it then you obviously have no experience of multi-user security on the hard edge (and no, disabling the 'very insecure' telnetd in favour of sshd is not a security scheme). There are a million and one ways systems can be compromised on the user level, mainly due to lapses in the users themselves. > TESO released their advisory in an apparent panic Careful deliberation would have been more appropriate. We didn't expect for one minute to get a slap in the face from everyone and his dog for it. > BugTraq moderator Elias Levy agreed and apologized, deleting the exploit code. Elias Levy regularly reads and blocks posts to the mailing list. To believe that he didn't read and understand the very top of the code is naive. The fact is he did it because we are a small organisation unlikely to be able to afford a lawsuit. His 'apology' to us was frankly insulting. > But others spoke up to question whether any such claim of copyright could be considered valid given that it is, after all, an exploit, it's own ligality resting in a grey area. The only law I can think of under which it is illegal is the DMCA, and it was developed outside the US. In any case the DMCA is ridiculous since it deems illegal software which can be used legitimately, such as exploits. Despite you being against the DMCA this is the attitude you appear to take. Note that many large security companies (some of which are based in the US) are actively developing exploits, and using them for legitimate purposes, such as penetration testing. Somehow I doubt they would make it to bugtraq despite the fact that many exploits belonging to big security companies are being actively traded in the 'underground'. Your claim that the exploit was 'all over' the underground at the time the advisory was released is incorrect. The fact that you found it easy to obtain doesn't say anything. Not that I want to get into a disclosure argument, and this is just my opinion, but the post to bugtraq put it into the hands of many more people who were likely to use it to illegitimately. Whatever you may think about the relative merits of disclosing the exploit, you cannot possibly think that it's acceptable for our rights as individuals to be violated so openly. I'm sure securityfocus would be equally annoyed if their private exploit code was released without their consent, and I'm sure the legal threats would be much more vicious. Because it's an exploit you (and most everyone else) somehow think you have a divine right to it. The fact is knowing all BSD derived telnetds are likely to be vulnerable is more than adequate information. > few and far between, but it is highly unlikely, to say the least, that script-kiddies rooted Team TESO's systems and stole the sploit from their network remotely. Something else happened here, and TESO won't say Again you obviously have no experience of security on the hard edge. Firstly it is completely plausible that some system along the way was rooted. Secondly, no system (internal or otherwise) has to be 'rooted' for the exploit to be stolen. The fact is we don't know, but you obviously seem to. And even if we did, you seem to think we have some duty to tell you exactly what's going on, as if we were some publicly funded organisation. BTW threaten is a strong word, and certainly not appropriate here.

Exploits, copyright, and disclosure | 16 comments (16 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!