[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Steve Northcutt's Comments on VEN clusters
I've included some of Steve's comments on the various VEN clusters below. He did ask one question which I strategically left out since it will be addressed in a later cluster and I'd prefer to keep these initial clusters as non-controversial as possible, but other than that, his responses are unedited. - Steve ACCEPT VEN-SGI candidates ACCEPT VEN-others candidates NOOP VEN-HP candidates ACCEPT all VEN-BSD candidates except CAN-1999-0052: "Per 52 Do we want to treat each instantiation of common attacks separately for each OS? Fragmentation and denial of service is not a freebsd specific issue, over the years we have seen: "Pathological" fragmentation where the second packet move the pointer negative and then we scribble on our stack, this is the teardrop approach if I remember the exploit name correctly and uses UDP. We also have the classic memory wasting frag attack where they send the first part and never finish, then send a new first part and so on. I think frag attack was in the cisco set, if not it should be there is a nice attack for IOS Then you have the how_do_you_handles such as Dug Song's frag router to evade IDS systems and whatever the heck this loki like thing that is all the rage for the last 90 days or so. Recommend: MODIFY 52 so that the text blurb at least hints why this is a unique case of mishandling frags OR create general frag vulnerabilities." ACCEPT all VEN-SUN candidates except CAN-1999-0212: "MODIFY 212, I am concerned that Linux is becoming too non descript a word, in the past two weeks I have run across 3 Linuxes I had never heard of before. I think we need to start being specific when we mention Linux either by the kernal or vendor or something." ACCEPT all VEN-AIX candidates, with the following note: "Per 97, general issue of mishandling metachars is a lot like my comment about CGI-BINs (not just PHF) [Someone] recently did a content search for about CGI-BIN and /etc/passwd and found about 10 cig programs that someone attempted to exploit... However we resolve the CGI-BIN bit, we ought to consider applying the same logic to candidates like 97."