I was going over old Gobbles advisories, and I found something very startling. In their 10th advisory released during November of last year, which can be found at

http://www.hackemate.com.ar/advisories/Gobbles/GOBBLES-10.txt

And also mirrored on many other sites (try a google search), they plainly state the following (my comments enclosed in brackets):

START QUOTE

It allow us to steal apache-scalp.c multi-platform remote Apache 1.3.x

exploit from DIANORA AKA EVIL ANGELICA'S MOM. Very nice! It is a

[same exploit name - apache 1.3.x. the attribution to dianora is obviously a sarcastic joke, as anyone who frequents efnet could surmise :-)]

very subtle and intricate bug, and the way you've forced that buffer

underflow condition allowing you to overwrite an activation record by

taking advantage of a poorly applied integer coercion, is just truly amazing,

[either gobbles has remarkable psychic powers or herein rests the proof that gobbles discovered this before ISS. 1. integer coercion... 2. underflow condition (*bsd memcpy copying backwards because of possible overlap) 3. activation record... sure each of these could be a guess, but the combined accuracy is too astonishing to dismiss...]

ma'am. Oh wait, that's hybrid-6 heheheheee! Anyway, security community must

be furious that you have this Apache remote exploit lingering around

hehehehe. Be sure to copyright it so the penetrators don't leech it hehehe.

GOBBLES LABS will be writing own Apache remote and will release press

announcement in a month or so about arranging for $100,000 USD

non-refundable payment for exploit. Hehehehe, don't worry, we just speaking through our asses heeheheheheeee hehe. . . hehe .. . he...

END QUOTE

Why didn't they disclose this? I thought of emailing them, but then as I read through all the rants in the advisories, only one single answer manifested... namely that they warned list moderators such as blue boar that any moderation of their advisories would result in the holding back of sensitive security information. I find this a rather foolish approach taken by Gobbles, since it's a silly blackmail of the security community, but then again, I must question why did Blue Boar moderate the majority of Gobbles advisories and even the Apache exploit itself? Quite frankly, I would rather be provided with security information at the cost of having to skip over the immature insults and scolding that has become the trademark of Gobbles...

I think now is the time to unravel all the other mysteries that are lurking in the Gobbles advisories (sshd pre-auth bugs, other (!) apache bugs, qmail bugs, etc.) and encourage them to provide insights that companies such as ISS clearly can not....

Wasn't the slogan for one of those security books something like "in order to catch a hacker, you have to think like one" ? I guess there's a lesson in recent events for all of us

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/493/13188#13188