×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Zonk posted more than 6 years ago | from the step-right-up-rilly-big-shew dept.

Security 173

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

173 comments

IIS and Exchange (1, Funny)

Anonymous Coward | more than 6 years ago | (#19182919)

Easy money....easy money.

Re:IIS and Exchange (3, Funny)

ISwearNotmyPorn (1072206) | more than 6 years ago | (#19182981)

If you want to talk easy money think Sendmail.

Re:IIS and Exchange (1)

grub (11606) | more than 6 years ago | (#19183069)


The article says Sendmail has had only 4 remote holes since 2003... Why not lead by example and dig up a fresh one?

Re:IIS and Exchange (1)

ISwearNotmyPorn (1072206) | more than 6 years ago | (#19183583)

I'm surprised the article states the '2003' date because it seems I'm always reading up on a new sendmail exploit in Linux Journal. This is one that apparently got much attention. http://www.internetnews.com/security/article.php/3 593546 [internetnews.com] I don't doubt the article necessarily but I find it odd that exploits like the one I'm linking to are not considered critical enough to be included in the 2003 assesment.

Re:IIS and Exchange (1, Insightful)

Anonymous Coward | more than 6 years ago | (#19184291)

i would imagine because it isn't a remote exploit to execute arbitrary code?

Re:IIS and Exchange (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#19183221)

Ummmm, try BIND.

BTW -- TFA says that IIS 6 hasn't had a single public remotely-exploitable hole. That means essentially nothing to me, because most serious 'hackers' aren't using public exploits.

Re:IIS and Exchange (3, Insightful)

icepick72 (834363) | more than 6 years ago | (#19183999)

Yes because we all know the public exploits just sitting out there are totally ignored by hackers in favour of the um non-public ones. Ummmm .... so ..... IIS must therefore be insecure because surely we can't say anything good about it here. I mean it's a piece of shit because we can hypothesize unstated scenarios about it.
I think it does means a lot to many people when a piece of software has never had a publicly exploitable hole.

Re:IIS and Exchange (1, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#19184621)

By 'serious hackers' I mean the ones who are truly dangerous because they know what they're doing, unlike 31337 skR1p7 k1dd13z and your run-of-the-mill botnet creator looking for nothing more than a big spam relay. Those who actually know what they're doing won't use publicly-announced holes because that would allow them to be caught more easily.

Put the fanboi attitude away and think about logically and you'll know what I'm talking about. This applies to all applications and operating systems, not just IIS or Microsoft's products.

Re:Exchange (1, Funny)

DrLov3 (1025033) | more than 6 years ago | (#19183149)

Pfff.... Ms. Echange ....

No need to find a flaw, Ms exchange will crash on it's own. :P

$16,000 (5, Insightful)

Anonymous Coward | more than 6 years ago | (#19182967)

arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

Re:$16,000 (4, Insightful)

Mr. Underbridge (666784) | more than 6 years ago | (#19183089)

arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

Not only that, but I'm assuming that claiming the prize and the advertising that goes with it - advertising your skills, that is - is the more valuable part. I'm imagining that the type of person who could claim the prize is interested in doing this sort of thing anyway. The prize would be a nice cash reward and a fantastic thing to put on a resume.

Re:$16,000 (2, Funny)

networkBoy (774728) | more than 6 years ago | (#19185457)

Well I have one exploit for each platform.
It is remote, and it is foolproof.
I want the money.
-nB

The exploit is to take the admins family hostage, demanding whatever code you want to be run in exchange for the family's safety.
Since you are using a phone to control the admin it is a remote exploit.
Have a nice day.

Bidding war. (2, Interesting)

khasim (1285) | more than 6 years ago | (#19183225)

Suppose you know an exploit in IIS or Exchange.

Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?

Re:Bidding war. (4, Insightful)

MarkGriz (520778) | more than 6 years ago | (#19183767)

"Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?"

Neither. You auction it off to the highest bidding spamgang. Or so I've heard.

Re:$16,000 (4, Informative)

Anonymous Coward | more than 6 years ago | (#19183371)

Indeed, $16K is exactly 2.5 times the annual salary I used to make when I worked as a software engineer in Egypt.

Re:$16,000 (0)

operagost (62405) | more than 6 years ago | (#19183389)

For someone a little more eastbound, that's a nice chunk of change.
Bullcrap. I live in Pennsylvania and that's still chump change!

Re:$16,000 (0)

Anonymous Coward | more than 6 years ago | (#19183719)

you'd just give the $16K to your church. Loser.

Re:$16,000 (2, Informative)

XenoPhage (242134) | more than 6 years ago | (#19183763)

Bullcrap. I live in Pennsylvania and that's still chump change!

Must be nice.. I live in Pa and I'd love to have a extra $16k ...

Re:$16,000 (1)

DaveWick79 (939388) | more than 6 years ago | (#19183721)

Apparently some new accounting guy fresh out of college found a $16K budget surplus, and another new IT guy fresh out of college came up with a use for it.

Re:$16,000 (1)

demachina (71715) | more than 6 years ago | (#19184303)

$16K IS chump change compared to what you could make exploiting a flaw in this critical infrastructure or selling it to people who would. Of course maybe you would prefer the $16K over the much higher return and a potential criminal record.

hMMM (2, Funny)

multipartmixed (163409) | more than 6 years ago | (#19182969)

Does it count if we "find" a "hole" in the current CVS snapshot?

From the FA (1)

crush (19364) | more than 6 years ago | (#19183031)

# # 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge

So, it would be reasonable to assume that any development branch stuff including current CVS snapshot would be inadmissible.

Re:From the FA (1)

xenocide2 (231786) | more than 6 years ago | (#19183185)

But it's a good question: how much do you trust the CVS authors? 16 thousand might be chump change, but how bout a couple million?

No, but... (3, Interesting)

TheSHAD0W (258774) | more than 6 years ago | (#19182985)

It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.

Not to mention ability to convert O2 to CO2... (5, Funny)

Kadin2048 (468275) | more than 6 years ago | (#19183115)

Also, you may be able to collect multiple bounties from different organizations for the same hole.

True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

Re:Not to mention ability to convert O2 to CO2... (2, Funny)

peragrin (659227) | more than 6 years ago | (#19183555)

>>True ... but I bet breaking an NDA with the Russian mob could adversely affect your ability to work in the computer-security field in the future.

I didn't sign an NDA when i started working for the..... Oh high Vladmir, what are you doing he.....

Re:No, but... (5, Funny)

Darlantan (130471) | more than 6 years ago | (#19183787)

Also, you may be able to collect multiple bounties from different organizations for the same hole.

Yeah, but pimpin' ain't easy.

Meanwhile, the Russian Mafia offers you... (1)

monkeyboythom (796957) | more than 6 years ago | (#19182993)

Triple that amount of cash. Or more. Or your life. Or, the well being of those you love.

You get the point.

Re:Meanwhile, the Russian Mafia offers you... (0)

Anonymous Coward | more than 6 years ago | (#19185549)

Is that how you hack systems? By putting space characters where they don't belong?

IIS 6 (5, Funny)

Anonymous Coward | more than 6 years ago | (#19183005)


IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

How can that be? IIS is crap! Slashdot tells me so!

Re:IIS 6 (5, Funny)

eln (21727) | more than 6 years ago | (#19183053)

No one has ever found a hole in it because no one has ever managed to keep it up and running for long enough to find one without it crashing first.

Re:IIS 6 (2, Interesting)

wwmedia (950346) | more than 6 years ago | (#19183131)

now now no need to get nasty about IIS6 just beacause its a microsoft product!

IIS6 is very good and new IIS7 is even better, also to note on all the 11 Suse dedicated servers i run i switched from Apache 2 to a lighter, less resource hoging alternative

Btw IIS6 has less unpatched vulnerabilities [secunia.com] than apache [secunia.com]

so there

Re:IIS 6 (1)

grub (11606) | more than 6 years ago | (#19183187)

What did you switch to?

Re:IIS 6 (3, Interesting)

TheRaven64 (641858) | more than 6 years ago | (#19184135)

I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.

Re:IIS 6 (5, Interesting)

Bishop (4500) | more than 6 years ago | (#19184471)

Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.

Re:IIS 6 (2, Insightful)

krenshala (178676) | more than 6 years ago | (#19185939)

But if you don't run the modules you don't use Apache doesn't use the resources those modules would require.

Re:IIS 6 (0)

Anonymous Coward | more than 6 years ago | (#19183205)

Maybe less "publicly known" unpatched vulnerabilities

Re:IIS 6 (0)

Anonymous Coward | more than 6 years ago | (#19184043)

The problem isn't with IIS 6, it's with the only foundation that IIS 6 runs on.

Re:IIS 6 (3, Informative)

Viraptor (898832) | more than 6 years ago | (#19183171)

> IIS 6 hasn't had a public remotely exploitable bug in it. Ever.

"Microsoft Internet Information Services ASP Code Buffer Overflow"
http://secunia.com/advisories/21006/ [secunia.com]

Software:
- Microsoft Internet Information Services (IIS) 5.x
- Microsoft Internet Information Services (IIS) 6

Impact:
- System access
- Security Bypass

Where:
- From remote

"hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever ;)

Re:IIS 6 (4, Informative)

EraserMouseMan (847479) | more than 6 years ago | (#19183307)

From your link, "Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."

This is not a remotely exploitable bug. Nice try though.

Re:IIS 6 (1)

guruevi (827432) | more than 6 years ago | (#19184087)

Oh really, you don't think there are hundreds of apps out there that allow you to upload any type of file out there?

It's remotely exploitable, if the programmer is dumb enough. Then again, so is Apache + PHP.

Most server-related exploits are not through visible and administrated or configured services but rather through side-services like RPC in combination with ineptness of programmers and admins. That's what makes the Microsoft platform so darn insecure, there's by default hundreds of services running that nobody knows about or everybody forgets and that have open ports to the outside world. It's also 'too simple' for any CIO to set a server up so there are hundreds of servers that are clicked rather than built together.

Yes, they're trying to catch up and yes, you should have a firewall, but the power in services/servers on *nux is (for most distro's) the defaults it comes with and the simplicity yet strength and visibility of the configuration and security (who doesn't like to see ALL settings in a single flatfile with the possibility of extra comments instead of through hundreds of windows with unexplained commands and options or with a single command see all rules applied to the firewall).

Re:IIS 6 (1)

Doctor Memory (6336) | more than 6 years ago | (#19184335)

It's remotely exploitable, if the programmer is dumb enough. Then again, so is Apache + PHP.
Doesn't PHP stand for Pretty Hopeless Privacy? I remember it used to be pretty trivial to do SQL injection attacks against a pretty wide spectrum of PHP sites back in the dot-bomb days. Hopefully it's gotten better as security has gotten more press, but even if it's gotten twice as good as it was, that's still pretty bad...

Re:IIS 6 (2, Insightful)

Viraptor (898832) | more than 6 years ago | (#19184483)

SQL injection doesn't have anything to do with PHP. You can create query ("DELETE FROM "+user_supplied_var) and run it in any language - PHP, ASP, ASP.NET, perl, etc. If you want to shoot yourself in the leg, noone will stop you.
PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself.

Re:IIS 6 (1)

toadlife (301863) | more than 6 years ago | (#19184907)

Most server-related exploits are not through visible and administrated or configured services but rather through side-services like RPC in combination with ineptness of programmers and admins. That's what makes the Microsoft platform so darn insecure, there's by default hundreds of services running that nobody knows about or everybody forgets and that have open ports to the outside world. It's also 'too simple' for any CIO to set a server up so there are hundreds of servers that are clicked rather than built together.
Yes. Damn Microsoft for making their server products so easy to use.

Yes, they're trying to catch up and yes, you should have a firewall, but the power in services/servers on *nux is (for most distro's) the defaults it comes with and the simplicity yet strength and visibility of the configuration and security (who doesn't like to see ALL settings in a single flatfile with the possibility of extra comments instead of through hundreds of windows with unexplained commands and options or with a single command see all rules applied to the firewall).
I'm not sure what your complaint is. If you want to administer Win2k/IIS6 from the cli you can, as Win2k3 comes with all the necessary cli tools. IIS6's config file happens to be an xml file too, so you can configure IIS6 with nothing but your favorite text editor - and unlike Apache, you don't even have to restart the IIS after editing it's configuration.

Re:IIS 6 (1)

Ash-Fox (726320) | more than 6 years ago | (#19185363)

IIS6's config file happens to be an xml file too, so you can configure IIS6 with nothing but your favorite text editor
Although admittedly, XML files can be annoying to deal with by hand.

and unlike Apache, you don't even have to restart the IIS after editing it's configuration.
I cannot remember a time I couldn't do /etc/init.d/apache reload (or whatever the init.d file for your apache install is called).

Re:IIS 6 (1)

Viraptor (898832) | more than 6 years ago | (#19184257)

Oh - I'm sure, that in the darkness of interwebs, there is some forgotten script, that includes file which name consists of one of GET attributes + ".asp". Yes - some web developers are that clueless. If I understand description correctly, exploit depends only on the name of included script.
I suppose that's why it's marked "remote" by Secunia.

Anyone got IIS6 to try?
Ahh... I forgot, it's slashdot :)

Re:IIS 6 (1)

jimicus (737525) | more than 6 years ago | (#19184975)

I suspect you'll find that most web exploits today rely more on the application than the web server. There's only a handful of web servers in common use today and the core developers all understand the potential security issues that surround them. I'd argue that this is not the case for web applications and frameworks.

Re:IIS 6 (-1, Troll)

gbjbaanb (229885) | more than 6 years ago | (#19183823)

lol, but wasn't BIND in the top ten of all-time exploitable apps ever, and Sendmail is a byword for dodgy applications, and Apache is so-named because of all the patches that it had applied to it.

Of course, that was then, are they really as bad now as they are reputed to be?

Re:IIS 6 (0)

Anonymous Coward | more than 6 years ago | (#19184861)

Apache is so-named because of all the patches that it had applied to it.
Clearly, you have no fucking clue what "patch" means in this context (NCSA/Apache). Moron.

Look at me, I'm a hacker (5, Funny)

Anonymous Coward | more than 6 years ago | (#19183023)

$16000 is not worth the time to make the internet safer. Now stop bothering me while I spend my time trying to figure out how to save $15 by cracking DVDs. After that, I'm off to steal some music.

Re:Look at me, I'm a hacker (0)

Anonymous Coward | more than 6 years ago | (#19183983)

>I spend my time trying to figure out how to save $15 by cracking DVDs.

That's $15(x), where if "x" is the number of DVDs I would be will to buy given that I could only require DVDs by $15(x).
But once x is no longer bound by $15(x), then to me x > $16,000. Thus concludes our little lesson in microeconomics.

Re:Look at me, I'm a hacker (3, Insightful)

int14 (559258) | more than 6 years ago | (#19184723)

Breaking DVD encryption is important for fair use IMHO, and I doubt the guys who have worked on this are completely motivated by saving money buying DVDs.

Entrapment? (4, Insightful)

Anarchysoft (1100393) | more than 6 years ago | (#19183035)

Considering that creating exploits and/or publishing them is considered a criminal offense in some jurisdictions, I wonder how many submissions they'll get. Especially when a good unknown exploit could be worth far more than 16,000.

Ha! (1)

Joebert (946227) | more than 6 years ago | (#19183075)

$16,000 ?
That's it ?

That type of exploit is worth at least a brand new BMW.

Re:Ha! (0)

Anonymous Coward | more than 6 years ago | (#19183345)

or owning slashdot several times, changing low uid passwords
to owned, and otherwise making commander taco cry.

Re:Ha! (0)

Anonymous Coward | more than 6 years ago | (#19185093)

$16,000 ? That's it ? That type of exploit is worth at least a brand new BMW.

I'd rather have the cash. BMW is not what it used to be. I swear the only thing "special" about those cars now is the badge.

Free money (5, Interesting)

ThanatosMinor (1046978) | more than 6 years ago | (#19183201)

I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

1. Leave subtle flaw in your code
2. Share information with distant acquaintance
3. Profit!

Already in real life. (2, Informative)

Actually, I do RTFA (1058596) | more than 6 years ago | (#19183375)

Somewhere, I believe in one of Scott Adam's (the Dilbert creator) books he has a (purportedly) true story about a company where the testers were paid $100 per bug they found. According to him, the program was scrapped after a week, but not before quite a few expensive gifts went from testers to programmers.

It seemed like the an urban legend ala the Woz getting $100 for each chip he got off a board, but I've heard that that one is actually true, so maybe both are??

Yes, it's the fallacy of assuming the whole set has parts comprable to one element. Yes I know this. Please mod the logic Funny and the first paragraph Informative.

Thank You

Re:Already in real life. (2, Interesting)

Bishop (4500) | more than 6 years ago | (#19184781)

I can't speak to Scott Adam's story, but I do know of a large shop that thought a bug bounty like that was a good idea. A rising star in management with little technical knowledge but lots of new ideas thought that a bug bounty would be a good motivator for QA. Fortunately for the company the idea was squashed by a number of experienced software engineers before it was implemented.

Along a similar vein one of the companies I worked for had an idea for spurring innovation and lateral thinking. The program was designed to find small improvements and cost savings on the production floor. The company offered a reward based on a percentage of the cost savings as well as a small gift. To give an idea of the expected cost savings the gifts ranged from golf shirts to pen sets with the company logo. Nothing fancy. This program worked well until an employee found a way to save 15 million dollars. The employee did receive the award but it was the last award paid. While it is nice of the company to offer incentives for new ideas, as this employee was an engineer it could easily be argued that it was his job to find 15 million dollars savings.

Re:Free money (3, Insightful)

Nos. (179609) | more than 6 years ago | (#19183397)

From Anton Chuvakin's Blog [blogspot.com] :
...most scary cyber-criminal of the future is not a spammer, a scammer, a phisher or a pharmer, and not even a good ole "cracker" - it is an unethical software engineer, who changes the code slightly to introduce a weakness (or a full-blown backdoor or a logic bomb) and later uses or sells this knowledge

Re:Free money (0)

Anonymous Coward | more than 6 years ago | (#19183407)

You forgot a step, theres no way your plan will ever succeed without "???"

Obligatory (0)

Anonymous Coward | more than 6 years ago | (#19183213)

1. Find 12 Exploits
2. Submit 6 Exploits
3. ????
4. PROFIT!

Multiple choice for #3 today, class...

A) Collect $16,000
B) Create botnet using other 6 exploits and rent to spammers - Collect $???,000
C) Wait for next contest, submit remaining exploits - Collect $newprize, repeat
D) All of the above

Internet infrastructure technologies? (1)

rrohbeck (944847) | more than 6 years ago | (#19183281)

>the following Internet infrastructure technologies:
Since when are we using marketing speak here? Can we please call them programs or program systems?

maybe someone has already done the work (2, Insightful)

7-Vodka (195504) | more than 6 years ago | (#19183297)

...arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.

Maybe there are people out there who already have more than one exploit for these and wouldn't mind trading one in for a legal source of quick cash. Who knows? 16k buys very a nice chunk of electronics for people who don't need the money for anything else.

Tu3g1rl (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19183357)

NIGGER AASOCIATION to have regular rivalry. While

Bragging All the Way to the Poor House (3, Insightful)

queenb**ch (446380) | more than 6 years ago | (#19183503)

Here are the terms of the challenge -

* The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above

Ok, so you pick some of the oldest and most robust technologies around - things that have had a LOT of the bugs worked out of them already and things are you're not that likely to have to pay out on.

* The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
* 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge

So you eliminate any upcoming versions, but you forget to exclude the previous versions....

* The vulnerability must be original and not previously disclosed to any party

So if I've already informed the software maker, it's out, further reducing the likelihood of any kind of a payment having to be made.

* The vulnerability cannot be caused by or require any additional third party software installed on the target system

Reasonable, but...and this is a big but....many things are quite secure on their own, but not so much so when you actually start using them. Prime example, Apache. Apache on it's own is fine. Install one of the open source PHP web apps and then see how secure it is. How many people run Apache serving up hand coded HTML?

* The vulnerability must not require any social engineering

This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.

PHOOEY ON YOUR CHALLENGE

It would take me a lot of man hours to come up with something, more to code an exploit for it and by the time I'm done...I'd be better off financially if I had worked at Wal-Mart for those hours. $16,000 divided by 4 (people on my team) = $4000 each. Let's say we spend 5 weeks on this. That's 200 hours each. That works out to having a chance to get $20/hr. And frankly, I think that 200 hours each is pretty optimistic. We're talking about pouring over their code base, becoming familiar with it, and looking for places that we can try to break it. That's in excess of 89,000 lines of code just for Apache and more than another 70,000 for Sendmail. Then we have to load it up, write some code to test the exploit, and run it to see if works. If it doesn't on the first try, it's rinse and repeat until we give up on that possible exploit and try a different one.

I'm guessing that this is more of a publicity stunt than anything else. Anyone in the industry should know better. This has to be something that the marketing poohbah's have dreamed up. Just more marketing hype so that they can say, "We're more secure than those other guys. We ran our challenge and we didn't get anything. These apps are safe to use."

2 cents,

Queen B.

Re:Bragging All the Way to the Poor House (0)

Anonymous Coward | more than 6 years ago | (#19184199)

This is because we all know that there is no patch for human stupidity...though I've never seen it admitted quite so blatantly.

No, this is because anyone with half a brain cell can understand the difference between a vulnerability in the software and a vulnerability in the system around the software.

Coworkers like you drive me nuts, when they spend all their limited capacity for thought on pointless nitpicking, and think they're geniuses because they can complain faster than smart people can do work.

Re:Bragging All the Way to the Poor House (0)

laffer1 (701823) | more than 6 years ago | (#19184287)

In the western world, you are right about how stupid it is. However, in say india where they work for practically nothing it would be some real money. They could buy a village or something.

Re:Bragging All the Way to the Poor House (0)

Anonymous Coward | more than 6 years ago | (#19184685)

And we have the definitive post on the topic. Thank you. Sums it all up. When are the marketeers going to realise that this sort of stunt doesn't convince anyone.

Re:Bragging All the Way to the Poor House (1)

jimicus (737525) | more than 6 years ago | (#19185021)

The vulnerability cannot be caused by or require any additional third party software installed on the target system

Exactly. Apache without any extra modules, just the core? There's not much to exploit, and that which there is has been worked over and over for years.

Tried Google? (3, Informative)

Anarchysoft (1100393) | more than 6 years ago | (#19183509)

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever."
That's funny. A quick search [google.com] seems to reveal many!

Re:Tried Google? (4, Funny)

Anonymous Coward | more than 6 years ago | (#19183963)

Just to narrow it down, I redid your search with quotes and found 67. But the first one's a blast. It goes to the "w4ck1ng" forum where the thread goes...

"Hello found this exploit: http://www.derkeiler.com/Mailing-Lis...5-04/0436.h tml [derkeiler.com] I have compiled it. And when i run it under linux, it gives me this error! [cut for brevity] ./iis.exe: 3: Syntax error: word unexpected (expecting ")") Anyone ?"

...and the response goes:

"you can not use exe files under unix y0u have to compile it with GCC..."

I *think* IIS is safe from *this* guy...

Re:Tried Google? (2, Informative)

Otter (3800) | more than 6 years ago | (#19184603)

Warning up front: DO NOT RUN THE CODE IN THE BELOW LINK, YOU HALFWITS!!!

Ok, now a clarification: the code [derkeiler.com] I think you meant to link to is not an exploit for IIS, it deletes the 1337 h4x0r's files. The exchange is a good way to run out the clock on a Friday, at least through:

You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here!

Re:Tried Google? (1)

Zamolx3 (604656) | more than 6 years ago | (#19185063)

You don't know what you are talking about. There is no serious remote vulnerability for IIS6. Those results are just crappy lame "flaws" written by crappy lame "hackers" looking for fame.

Re:Tried Google? (1)

Anarchysoft (1100393) | more than 6 years ago | (#19185181)

I'm not going to claim to be any kind of expert on the subject, but I did bother to look at some of those exploits that turned up and I think you should double check your claim. For example, here's one posted by Microsoft [microsoft.com] . Are you claiming all of the exploits don't work and if so, why? Do you think IIS 6 is invulnerable?

Re:Tried Google? (2, Insightful)

ad0gg (594412) | more than 6 years ago | (#19185135)

I like how the second result listed is actually trojan program that runs rm -rf /. There aren't any remote exploits for IIS6 which is a 4 year old product.

Re:Tried Google? (1)

Anarchysoft (1100393) | more than 6 years ago | (#19185237)

There aren't any remote exploits for IIS6 which is a 4 year old product.
Do you mean like these? [secunia.com]

Re:Tried Google? (1)

ad0gg (594412) | more than 6 years ago | (#19185433)

I don't consider a DOS an exploit. Like the article, we're talking about being able access the system. As it still stands per the article definition, there are no remote exploits for IIS6.0. Can the same be said about apache?

Re:Tried Google? (1)

Anarchysoft (1100393) | more than 6 years ago | (#19185475)

I don't consider a DOS an exploit. Like the article, we're talking about being able access the system. As it still stands per the article definition, there are no remote exploits for IIS6.0.
Does this [secunia.com] look like a DoS to you?

Can the same be said about apache?
This is not about httpd versus IIS 6. The statement was that there were no remote exploits for IIS 6 and it appears that there is evidence to the contrary.

Heh (1)

Stormx2 (1003260) | more than 6 years ago | (#19183585)

The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: ... Microsoft Internet Information (IIS) Server and Microsoft Exchange Server
How do they expect to find $16,000 a day? Bank robberies?

Is it just me (0)

Anonymous Coward | more than 6 years ago | (#19183807)

Is it just me or is anybody else tired of hearing the phrase "zero-day" on a daily basis?

Re:Is it just me (0)

Anonymous Coward | more than 6 years ago | (#19185771)

I was tired of it on day zero.

$16k? Peanuts... (1)

pp (4753) | more than 6 years ago | (#19183919)

The criminal underground (russian mafia etc.) supposedly pay $50k-$100k for zero-days, if you're after the money might as well sell your exploit to them.

If you're after fame, you report it through the proper channels (CERT or the vendor directly). You get credited in the bugfix, but gain no money at all.

Selling to one of these guys just goes into the pockets of these zero-day vendors, who then get more customers paying them $$$ to be a few days ahead of everyone else (but they'll get the patches at the same time as anyone else anyway, their IDS's just get signatures for these new exploits)

Is that legal? (2, Interesting)

HalAtWork (926717) | more than 6 years ago | (#19183965)

Could I just offer up a $16,000 bounty as well? 'Cause there's plenty of money to be made with 0day flaws.

Anyone can discover them, so it's plausible that two people can know the same flaw. So one party gets the flaw and gives the $16,000, then communicates the exploit to a third party who hacks in and gets trade secrets (or teh g0ld) and sells those, or whatever.

Chump change (0, Redundant)

Plutonite (999141) | more than 6 years ago | (#19184019)

$16000 is nothing. If you run a botnet you can have $10000 rolling in per week, alternatively if you have undisclosed vulnerabilities and the right contacts, you wont bother with the silly bot-masters who will get you discovered even though they will gladly pay anything from 50 - 150 grand for a remote hole. More likely, you would save up the good holes for high-paying, one shot mob deals against banks, and maybe government intelligence (they have a big budget for that in Soviet Russia and China). 16000 dollars? No, sorry, IIS is perfectly secure!!

PS: I am not some shady person who wears black hats. Hacking is too dangerous for a nice guy like me, even though almost anything can be done with time and dedication..even the functions that check string lengths to prevent overflows can be hacked :D

FYI (5, Funny)

Slashcrap (869349) | more than 6 years ago | (#19184411)

I guess some people reading this may be more used to Windows and therefore not entirely familiar with the functionality of the Unix packages that were mentioned. Allow me to summarise :

OpenSSH - A service you can install on a Unix system to enable remote admin access for known users.

Sendmail - A service you can install on a Unix system to enable remote admin access for complete strangers.

Hope this helps.....

Oh Great (0, Flamebait)

Evets (629327) | more than 6 years ago | (#19185619)

"IIS 6 hasn't had a public remotely exploitable bug in it. Ever."

LMAO.

Did Microsoft hire Baghdad Bob [welovethei...nister.com] as their PR guy?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...