[CentOS] bounties for exploits against CentOS?

Tue Jan 17 16:11:34 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Tue, Jan 17, 2012 at 9:04 AM, Bennett Haselton <bennett at peacefire.org> wrote:
>
> But there seems to be some consensus, at least, that exploits do get
> found which allow apache to run arbitrary code (even under its
> unprivileged account),

Web servers are particularly prone to this because webapps are
typically designed to map user input to some action in a fairly
flexible way (i.e.by mapping the URL to a program and its inputs) and
people can easily manipulate the URLs they send.  That leaves a lot of
levels where buffer overflows or mis-parsing can  let unintended code
execute.

> and exploits do get found that elevate an
> unprivileged user to root privileges.

And it is best to assume that there are more that haven't been found...

> So you could offer, for example,
> a bounty for anyone who finds a way to elevate the privilege of an
> unprivileged account.  That's a lot less powerful than a complete
> exploit that can be used against any server on the Internet, but it's
> the kind of thing an attacker might use as part of a larger exploit.  So
> would you feel safer using CentOS/Red Hat if Red Hat, for example,
> offered a prize to anyone who could find a privilege-escalation exploit
> like that?  Knowing that it would reduce the chance of a black hat
> finding the exploit and using it as part of an attack?

You'll never know when the last bug is found.  And if you don't know
that, what have you gained by painting a target on your head?

-- 
   Les Mikesell
     lesmikesell at gmail.com