[VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541)
jericho at attrition.org
Thu Feb 22 00:47:06 EST 2007
: > Curious how this came to be. Did someone add a vulnerability to a copy
: > before sharing it and letting it circulate in the warez circles?
: I'm pretty sure this wasn't the first, nor the last, case of a
: vulnerability in a Trojaned warez product that wasn't in the legitimate
: product (assuming the vendor dispute is correct). Maybe some of our
: disputes are actually assumintg legitimate distributions.
This came to mind and was part of the reason I asked. We know that a lot
of vulnerabilities are discovered by testing live sites. We know that
there is a lot of animosity and petty revenge in the world of hackers. We
also know that a lot of hackers don't always opt to pay for software. Add
it all up and I have to wonder if some of the warez versions are being
backdoored in this manner to help avoid any accusation that was done on
purpose, and then later being discovered when one tries to hack another.
: I don't think CVE should be tracking malicious modifications from
: unofficial channels. Now, if a product is trojaned at its legitimate
: distribution point, that's of concern to consumers and gets a CVE. But
Right, i'd definitely track such occurances if a legitimate distro is
backdoored in such a fashion.
: modified warez falls under the malware category, for me anyway. Would
: OSVDB be interested in cataloging vulnerabilities in malware? They're
: technically vulnerabilities from the malware's point of view, after all
If the software is being distributed, even via warez channels, and
installed and used on real servers with net access, it seems just as valid
as any other distribution with a vulnerability. I would also say that if
it is known to only affect a given distro, then it should certainly be
noted in the VDB entry.
More information about the VIM