[VIM] It's the defacers, stupid
jericho at attrition.org
Tue Jun 6 00:28:18 EDT 2006
: Sitting and staring at the 598'th post with minimal details and obvious
: inconsistencies, it suddenly became clear... It's the defacers, stupid!
: There are lots of cut-and-paste researchers out there, sure... but it's
: clear from the signatures and commentary of various mailing list
: posters, that some of the more frequent posters are in the business of
: defacing, which is entirely attack focused. So there isn't a need or
: desire to figure out the underlying product relationships, environmental
: restrictions, etc.
: Am I slow? Did everyone else know this and not bother to mention it?
: Agree or disagree?
Two years ago, I would have been all over that theory =)
This should be easy to determine by watching the zone-h defacement
archives for a few days or weeks. This assumes that they are defacing
under one name and not switching for disclosing vulns.
I can say that historically, back when the attrition mirror was running,
this was not the case. Most defacers used precanned scripts that allowed
for remote code execution. It was rare to see any defacer post to the
regular disclosure type lists.
Even now, I have doubts. Most of these crappy disclosures are cross-site
scripting, and some SQL injection. I seriously doubt they are using XSS to
do defacing. While SQL has the power to do that (even if it means dumping
admin password, logging in and editing), most of these SQL injection
discovering scream ' paste testing, look for error, cry out SQL injection.
I have serious doubts about many of them being able to craft the query
needed to exploit it for that type of privilege escalation.
More information about the VIM