[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How do I disclose a vulnerability?

From: Sergey Bugaev
Subject: How do I disclose a vulnerability?
Date: Fri, 14 May 2021 14:46:36 +0300

As luck would have it, I have found a serious issue in a core
component of the Hurd. It is a denial of service, which can then be
turned into privilege escalation.

I have developed an exploit. Here is it in action:

sergey@sergey-hurd-box:~/hax$ id
uid=1000(sergey) gid=1000(sergey)
sergey@sergey-hurd-box:~/hax$ ./hax
Got root auth port :)
root@sergey-hurd-box:~/hax# id
uid=0(root) gid=0(root) groups=0(root)

(To be clear, I'm not the first person to realize that, let's say,
_this way of doing things_ could be exploited. I just stumbled on a
piece of code, realized that it uses a problematic pattern, thought of
possible ramifications, and developed the specific exploit.)

As far as I can see from Git history, this vulnerability has been
present in the code base for more than 20 years. Is such a
vulnerability already known (and am I just late to the party)?

If it's not known, how do I responsibly disclose this, so that
nobody's system gets hacked? I guess I could send the vulnerability
description and the exploit source code in a private e-mail; is there
perhaps a dedicated GNU e-mail address for this purpose? How do we
ensure that a future commit fixing the vulnerability doesn't
immediately disclose what it was?

Or, should I just dump the whole thing out in the open on this mailing list?

Should we get a CVE ID assigned? Should we notify Debian?


P. S. On a personal note, it has been *very* exciting to find the
issue and develop a successful exploit! But now I'm a bit lost as to
what to do next.

And sorry for throwing more stuff at you. This can certainly wait for
a few more days if it hasn't been discovered for 20 years.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]