[VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541)

security curmudgeon jericho at attrition.org
Thu Feb 22 00:47:06 EST 2007


: > Curious how this came to be. Did someone add a vulnerability to a copy
: > before sharing it and letting it circulate in the warez circles?
: 
: I'm pretty sure this wasn't the first, nor the last, case of a 
: vulnerability in a Trojaned warez product that wasn't in the legitimate 
: product (assuming the vendor dispute is correct).  Maybe some of our 
: disputes are actually assumintg legitimate distributions.

This came to mind and was part of the reason I asked. We know that a lot 
of vulnerabilities are discovered by testing live sites. We know that 
there is a lot of animosity and petty revenge in the world of hackers. We 
also know that a lot of hackers don't always opt to pay for software. Add 
it all up and I have to wonder if some of the warez versions are being 
backdoored in this manner to help avoid any accusation that was done on 
purpose, and then later being discovered when one tries to hack another.

: I don't think CVE should be tracking malicious modifications from 
: unofficial channels.  Now, if a product is trojaned at its legitimate 
: distribution point, that's of concern to consumers and gets a CVE.  But 

Right, i'd definitely track such occurances if a legitimate distro is 
backdoored in such a fashion.

: modified warez falls under the malware category, for me anyway.  Would 
: OSVDB be interested in cataloging vulnerabilities in malware?  They're 
: technically vulnerabilities from the malware's point of view, after all 
: ;-)

If the software is being distributed, even via warez channels, and 
installed and used on real servers with net access, it seems just as valid 
as any other distribution with a vulnerability. I would also say that if 
it is known to only affect a given distro, then it should certainly be 
noted in the VDB entry.


More information about the VIM mailing list