[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Steve Northcutt's Comments on VEN clusters




I've included some of Steve's comments on the various VEN clusters
below.  He did ask one question which I strategically left out since
it will be addressed in a later cluster and I'd prefer to keep these
initial clusters as non-controversial as possible, but other than
that, his responses are unedited.

- Steve


ACCEPT VEN-SGI candidates

ACCEPT VEN-others candidates

NOOP VEN-HP candidates

ACCEPT all VEN-BSD candidates except CAN-1999-0052:
  "Per 52 Do we want to treat each instantiation of common attacks
   separately for each OS?  Fragmentation and denial of service is 
   not a freebsd specific issue, over the years we have seen:
   
   "Pathological" fragmentation where the second packet move the pointer
   negative and then we scribble on our stack, this is the teardrop
   approach if I remember the exploit name correctly and uses UDP.
   
   We also have the classic memory wasting frag attack where they
   send the first part and never finish, then send a new first
   part and so on.
   
   I think frag attack was in the cisco set, if not it should be
   there is a nice attack for IOS
   
   Then you have the how_do_you_handles such as Dug Song's
   frag router to evade IDS systems and whatever the heck
   this loki like thing that is all the rage for the last
   90 days or so.
   
   Recommend: MODIFY 52 so that the text blurb at least hints
   why this is a unique case of mishandling frags OR create
   general frag vulnerabilities."


ACCEPT all VEN-SUN candidates except CAN-1999-0212:
  "MODIFY 212, I am concerned that Linux is becoming too
   non descript a word, in the past two weeks I have run
   across 3 Linuxes I had never heard of before.  I think we need
   to start being specific when we mention Linux either by
   the kernal or vendor or something."

ACCEPT all VEN-AIX candidates, with the following note:
  "Per 97, general issue of mishandling metachars is a lot
   like my comment about CGI-BINs (not just PHF) [Someone]
    recently did a content search for about 
   CGI-BIN and /etc/passwd and found about 10 cig programs
   that someone attempted to exploit...  However we resolve the
   CGI-BIN bit, we ought to consider applying the same logic to
   candidates like 97."

 
Page Last Updated: May 22, 2007