|Main Archive Page > Month Archives > full-disclosure-uk archives|
Ok 'most' is probably bad wording on my part how does 'often enough' sound :).
"Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code" http://www.securityspace.com/smysecure/catid.html?id=57643
"Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS lookup." http://cve.mitre.org/board/archives/2003-03/msg00013.html
"A BrightStor ARCserve Backup contains four vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code." http://packetstorm.linuxsecurity.com/0703-advisories/CAID-McAfee.txt
Note the use of 'possibly'. If it was possible then 'possibly' wouldn't be used.
I'm not going to debate the validity of the month of activex bugs because frankly I don't care, merely that a DOS can turn out to be more and that at times either the researcher hasn't spent enough time on it, can't get the POC working, or lacks the skill to fully understand the problem.
There have been multiple instances on the securityfocus lists throughout the years where a DOS suddenly became promoted to a remotely exploitable bug (i.e another person found it was actually exploitable). I'm not going to find them and post them here, but a little googling can yield results.
> >>Consider that most often a bug filed as DOS can actually be
> exploitable, but the person who discovered it can't get the POC working
> or is even aware it is. While command execution is the ideal goal it
> doesn't mean other types of issues are *completely* worthless. =20
> Most often? How do you know that?
> Larry Seltzer
> eWEEK.com Security Center Editor
> Contributing Editor, PC Magazine