What can someone do after discovering a "exploit"?

[Snayler]

Note: I already disclosed what I found, it can be found here: http://www.backtrack-linux.org/forum...l=1#post212902

Ok, what happened is that I discovered a exploit that enables me to get the default wireless password from any router (no matter which protection the router has, no matter which model it is) of a given brand of routers. So now I have a dilemma... Should I try to contact the enterprise that produces such routers, and try to warn them? Should I make my findings available to the whole world to see? Or should I just keep quiet about it? I'm just a student, I have no professional experience in the Security area, so I don't know if the enterprise would take me seriously.

I know that if I disclose what I've discovered, many people will use my findings with malicious intentions. Take for example the stkeys from Kevin Devine. Once it was discovered, and being that the major ISP in my country was distributing Thomson routers along with their services, it was a chaos. Every router they distributed was vulnerable. Thankfully Thomson fixed the problem (although IMHO they were lazy on the fix and the routers are still vulnerable, although it's not as easy as inputting the SSID on a small program and getting the wireless key), but the routers manufactured before the fix just kept like they were, vulnerable. I mean, I know people that haven't paid for their internet for more than a year, they just use their neighbors connection. That's the kind of things I would like to avoid.

On the other hand, if I keep quiet about it, inevitably someone will discover it and disclose it to the general public. Also, being that I intend to follow a career in the Security area, I think that a discovery like this would look good on my curriculum vitae.

What do you think?
Cheers!

[melissabubble]

Hey snayler, I would say, if you don't already have a web site or blog, start one. Then put your name behind the exploit. Create a open source tool for the community, go on forums like this and let people no of the vulnerability. One exploit is a start, but if you want to be taking serious, you going to have to keep at it.

[pentrite]

Hello. I understand your thinking. But think about that when every vulnerability is found (and unleashed) we are building our future faster in the right direction. And what we do about it is what really matters.
We now living the fire and bone ciber age. We all must work to evolute.

First I would do is think deeply. Dont hurry.

[snafu777]

Snayler,

Ok, what happened is that I discovered a exploit that enables me to get the default wireless password from any router

What do you mean by this? I can find the default wireless password for any router via a simple google search. I'm very curious as to this....


Cheers!

pentrite,

English.... Learn it. Your grammar sucks.

[Snayler]

Hey snayler, I would say, if you don't already have a web site or blog, start one. Then put your name behind the exploit. Create a open source tool for the community, go on forums like this and let people no of the vulnerability. One exploit is a start, but if you want to be taking serious, you going to have to keep at it.

I'm too lazy to create a blog... At best I would create a PoC tool and post it to googlecode. And I doubt I'll be able to find another exploit soon, I was kinda lucky for finding this one. I don't even know if I can call it "exploit" (hence the "" in the title).

What do you mean by this? I can find the default wireless password for any router via a simple google search. I'm very curious as to this...

Not if the password is never the same. Just to be clear, I'm talking about the WIRELESS (WEP/WPA/WPA2) password, not the router's administration page login! Take D-Link, for example. They generated their wireless passwords based on the MAC Address of the router (which is never the same, obviously). Thomson/Speedtouch used part of a hash derived from part of the serial number (again, which is never the same). This is done because the average consumer doesn't know how to setup a router, so it's easier to leave the default configuration and have the wireless key on a sticker in the router. For security reasons, the default wireless password can't ever be the same, else it wouldn't be secure. Unfortunately for D-Link and Thomson, their methods were discovered, but that's another matter.

[GeraldC]

I say post it, have others verify it and become a god. I would.

[Gitsnik]

The question of disclosure is definitely one for about 600 pages of ethics philosophers, everyone will have their own opinion on the topic. On the side of non-disclosure:

Recently I contacted the software division of a company that we are closely tied to with a vulnerability in a relatively critical component of their code, they thanked me for it, asked if I would like to be publicly acknowledged (no) and sent me some free stuff (my desk is now littered with fusballs, pens, mini rockets and general other toys).

Counter that with a smallish company I ran into doing SCADA for wineries, who have threatened to sue should I ever disclose the vulnerability that would let you browse to the default web page of the controller and click the empty all link without any confirmation (should you crawl the site automatically with a bot). Ahem.

So you have a couple of options available to you. In my case, I'm not a huge fan of messing with the public image of small companies, so I don't disclose. In the event I find something big* in a large piece of well known software I will probably be publishing that to full disclosure with little or no contact to the parent company. Or you can just up and publish the exploit to the exploit-db. You get your name out, it's a one off thing and someone else has to worry about the hosting details.

The question of ethics though, that's a tricky one

*The last "big" thing I found was a few years ago in the ipfw software on FreeBSD - a bug where if you ping'ed me, I could ignore your incoming ICMP rules and ping you back. How minor. - before I was a community individual I never knew that you could disclose this sort of thing to the company, so I just sat on the issue in my little closet of a room. In this event, FreeBSD has a well established history of publicly acknowledging and fixing bugs, so I would definitely submit any new bugs I find for fix.

[Snayler]

Recently I contacted the software division of a company that we are closely tied to with a vulnerability in a relatively critical component of their code, they thanked me for it, asked if I would like to be publicly acknowledged (no) and sent me some free stuff (my desk is now littered with fusballs, pens, mini rockets and general other toys).

Counter that with a smallish company I ran into doing SCADA for wineries, who have threatened to sue should I ever disclose the vulnerability that would let you browse to the default web page of the controller and click the empty all link without any confirmation (should you crawl the site automatically with a bot). Ahem.

So you have a couple of options available to you. In my case, I'm not a huge fan of messing with the public image of small companies, so I don't disclose. In the event I find something big* in a large piece of well known software I will probably be publishing that to full disclosure with little or no contact to the parent company. Or you can just up and publish the exploit to the exploit-db. You get your name out, it's a one off thing and someone else has to worry about the hosting details.

Thanks for your insight, Gitsnik!
For now I'm going to lay low, take some time to build a tool capable of exploiting the vulnerability. The intention is not to disclose it, but to train my skills in programming. And case I decide to contact the company, the tool will help me prove my findings.

Cheers!

[snafu777]

snayler,

Just to be clear, I'm talking about the WIRELESS (WEP/WPA/WPA2) password, not the router's administration page login!

Bro... If you found something like that, that is along the lines of a truly unique 'sploit that would be very useful in the wild and therefore it deserves a lot of attention in my book.

I say warn the developers and demand a response. If they fail to acknowledge it within a timely manner (72 hrs or less), then you make it known to them you will hold them accountable to the public if they do not.

Wireless has/is/always-been my niche'

I would be very interested in what you have found... How you're going to code it and etc....

Please hit me up bro.... will@configitnow.com

[TAPE]

I would say that considering you want to persue a career in the IT field, you want to make
a professional piece on it that will be looked at by the manufacturer of the given router.

You say you are too lazy to write it up on a blog, but you will at a certain stage have to
put a professional paper together on it when you decide to forward the information to the
manufacturer (as that IMO is the way to go)

Write up a (private) paper on how the vulnerability works.
Write a POC which shows how you could use it in the field.
Inform the manufacturer of the vulnerability.

Accept a grace period before allowing it to go public.
Contact once again if grace period passes without any contact.

Then make the decision on whether to publish to the world or not.

If its a large issue, then doing the right thing has to be the right way
to go dont you think, especially if you want to be taken seriously and actually have
it as a 'Piece de resistance' on the CV

In fact surely there should be guidelines on how to proceed in
such a case ?