[VIM] It's the defacers, stupid

security curmudgeon jericho at attrition.org
Tue Jun 6 00:28:18 EDT 2006

: Sitting and staring at the 598'th post with minimal details and obvious 
: inconsistencies, it suddenly became clear...  It's the defacers, stupid!  
: There are lots of cut-and-paste researchers out there, sure...  but it's 
: clear from the signatures and commentary of various mailing list 
: posters, that some of the more frequent posters are in the business of 
: defacing, which is entirely attack focused.  So there isn't a need or 
: desire to figure out the underlying product relationships, environmental 
: restrictions, etc.
: Am I slow?  Did everyone else know this and not bother to mention it? 
: Agree or disagree?

Two years ago, I would have been all over that theory =)

This should be easy to determine by watching the zone-h defacement 
archives for a few days or weeks. This assumes that they are defacing 
under one name and not switching for disclosing vulns.

I can say that historically, back when the attrition mirror was running, 
this was not the case. Most defacers used precanned scripts that allowed 
for remote code execution. It was rare to see any defacer post to the 
regular disclosure type lists.

Even now, I have doubts. Most of these crappy disclosures are cross-site 
scripting, and some SQL injection. I seriously doubt they are using XSS to 
do defacing. While SQL has the power to do that (even if it means dumping 
admin password, logging in and editing), most of these SQL injection 
discovering scream ' paste testing, look for error, cry out SQL injection. 
I have serious doubts about many of them being able to craft the query 
needed to exploit it for that type of privilege escalation.

More information about the VIM mailing list