-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Johan A.van Zanten wrote:
| The PDF version of your advisory indicates that your upcoming (29 Mar |2004, according to those patent-happy people over at amazon.com) book |includes scripts that can be used to test for the vulnerability. Are you |going to provide any scripts or code fragments so that people can test |their systems? As things stand, it looks a lot like you're trying to |generate book sales by releasing a content-light advisory 6 days before |your book comes out.
Technically the book is already out (you can walk over to Wiley's office in Hoboken and buy it, probably). I recommend people buy it at B&N or their local college bookstore since I totally agree that method and software patents do many evil things and companies who insist on purchasing such things should be shunned. It's known to be difficult to purchase a copy of CANVAS if you are, say, someone who blackmailed everyone who had a .gif on their website.
(snipped, a lot of good configuration of dtlogin information)
I don't think the access stuff works - but it might. It's literally been almost two years since I found this vulnerability, and I did not do as thorough a testing job as I could have. I did release a SPIKE script that can be used to test for this vulnerability, though. It's in the Wiley pack-of-exploits that was released with the book.
http://www.wiley.com/legacy/compbooks/koziol/
You'll see Sinan Eren's kernel local for Solaris there, and CANVAS's old Win32 shellcode, as well as a bunch of other interesting information about Oracle, DB2, etc.
Dave Aitel Senior Vice President, Public Relations Immunity, Inc. P.S. I know it's a huge astounding surprise when a company releases an advisory just for monetary gain and not for the betterment of mankind, but I assure you that the 4 cents I make per book were not a factor. For those of you contemplating writing a book for huge financial gain, let me key you in on a simple fact of publishing: the publisher keeps the money. Unless your name is "Stephen King" or your book is entitled "Harry Potter and the New Shaving Kit by JK Rowling" you won't make more than 10K on a book, which you probably worked 400 hours on. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAYZF2zOrqAtg8JS8RAkLFAKCL950JLBFr88itsC3++ZDOn2+BXwCdFAKM TiAWoYiyTuZ8IZFy06Ck2dQ= =KLAT -----END PGP SIGNATURE-----
