Updated Undercover Exploit List
Update: We have a new one, but it isn't the new Apple QuickTime vulnerability, it is the Xunlei Thunder PPlayer ActiveX control vulnerability that was discovered in the wild on 11/23/07.
In a previous post listing undercover exploits, Richard Bejtlich suggests in a comment that I should keep this list as a separate page and keep it updated. I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?). Else, I'll just periodically update as new vulns become available.
Incidentally, I am not aware of any since this April, so please provide me with details if you know of any that aren't included. Note that this list is limited to exploits against packaged software and not websites or SaaS environments. (I am considering ways to address these in the future.)
19 20 total since 1988. No new additions since the last posting.
- 11/23/07 - Xunlei Thunder PPlayer ActiveX control (credit: Symantec)
- 4/5/07 - DNS RPC Vuln (confirmed by Bill O'Malley who also discovered it)
- 11/3/06 - XMLHTTP 4.0 ActiveX Control
- 9/23/06 - cPanel (credit: Dave via Adam, Ilja)
- 9/19/06 - Internet Explorer VML (public info)
- 9/3/06 - MS Word 0Day (Symantec)
- 8/16/06 - Ichitaro (Symantec)
- 7/11/06 - Powerpoint 0day. (public information)
- 12/29/05 - WMF. (public information)
- 2/7/05 - Mailman directory traversal. (credit: ilja van Sprundel)
- 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
- 11/16/04 - Twikis search.pm. (credit: ilja van Sprundel)
- 12/04/03 - Rsync. (credit: David Goldsmith, Matasano)
- 11/20/03 - do_brk() overflow. (credit: David Goldsmith, Matasano)
- 3/18/03 - WebDAV. (publicly available information)
- 12/9/99 - Solaris sadmind (credit: Steve Christey)
- 9/3/98 - SunOS ToolTalk. (credit: TQBF, who never got the beer...)
- 4/24/96 - rpc.statd. (double credit: TQBF - thanks again.)
- 11/2/88 - Sendmail (credit: David Goldsmith, Matasano)
- 11/2/88 - Fingerd (credit: David Goldsmith, Matasano)
Honorable Mention (which don't quite make the list because the vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with... [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Definitions:
Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by "above ground" security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual.
Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.
*Note: the "credit" given is not to the person who discovered the exploit/vuln, but to the person who pointed me in the right direction. Thanks, all.
"I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?)."
no idea about typepad's capabilities, but if i were to do something similar to that (oh wait, i do) i'd use del.icio.us linkrolls... you'd miss out on the ability to do multiple links per bullet point though...
Posted by: kurt wismer | November 20, 2007 at 01:30 PM
What about some other 0days that were not discussed, like the Apache exploits, OpenSSH and CVS exploits from the early 2000's?
Posted by: sigsegv | January 09, 2008 at 08:48 AM
@sigsegv -
Thanks for the comment. If you have URLs you can send me with details, that would be great. In most cases, these turn out to be "zero days" (at least by today's definition) but not undercover exploits - that is, the vulnerability was found by identifying an exploit in the wild.
I would love to have as complete a list as possible. Thanks.
Pete
Posted by: Pete | January 09, 2008 at 10:48 AM