bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How do I disclose a vulnerability?


From: Sergey Bugaev
Subject: How do I disclose a vulnerability?
Date: Fri, 14 May 2021 14:46:36 +0300

As luck would have it, I have found a serious issue in a core
component of the Hurd. It is a denial of service, which can then be
turned into privilege escalation.

I have developed an exploit. Here is it in action:

sergey@sergey-hurd-box:~/hax$ id
uid=1000(sergey) gid=1000(sergey)
groups=1000(sergey),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(netdev)
sergey@sergey-hurd-box:~/hax$ ./hax
Got root auth port :)
root@sergey-hurd-box:~/hax# id
uid=0(root) gid=0(root) groups=0(root)
root@sergey-hurd-box:~/hax#

(To be clear, I'm not the first person to realize that, let's say,
_this way of doing things_ could be exploited. I just stumbled on a
piece of code, realized that it uses a problematic pattern, thought of
possible ramifications, and developed the specific exploit.)

As far as I can see from Git history, this vulnerability has been
present in the code base for more than 20 years. Is such a
vulnerability already known (and am I just late to the party)?

If it's not known, how do I responsibly disclose this, so that
nobody's system gets hacked? I guess I could send the vulnerability
description and the exploit source code in a private e-mail; is there
perhaps a dedicated GNU e-mail address for this purpose? How do we
ensure that a future commit fixing the vulnerability doesn't
immediately disclose what it was?

Or, should I just dump the whole thing out in the open on this mailing list?

Should we get a CVE ID assigned? Should we notify Debian?

Sergey

P. S. On a personal note, it has been *very* exciting to find the
issue and develop a successful exploit! But now I'm a bit lost as to
what to do next.

And sorry for throwing more stuff at you. This can certainly wait for
a few more days if it hasn't been discovered for 20 years.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]