There has been a bit of activity on one of my old undercover vulnerability list pages. Here is the current list but I am fairly sure it is outdated. Note that these are undercover vulnerabilities that were discovered (by the good guys) via an exploit in the wild.
Anyway, here is the current list:
20 total since 1988.
- 11/23/07 – Xunlei Thunder PPlayer ActiveX control (credit: Symantec*)
- 4/5/07 – DNS RPC Vuln (confirmed by Bill O'Malley who also discovered it)
- 11/3/06 – XMLHTTP 4.0 ActiveX Control
- 9/23/06 – cPanel (credit: Dave via Adam, Ilja)
- 9/19/06 – Internet Explorer VML (public info)
- 9/3/06 – MS Word 0Day (Symantec)
- 8/16/06 – Ichitaro (Symantec)
- 7/11/06 – Powerpoint 0day. (public information)
- 12/29/05 – WMF. (public information)
- 2/7/05 – Mailman directory traversal. (credit: ilja van Sprundel)
- 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
- 11/16/04 – Twikis search.pm. (credit: ilja van Sprundel)
- 12/04/03 – Rsync. (credit: David Goldsmith, Matasano)
- 11/20/03 – do_brk() overflow. (credit: David Goldsmith, Matasano)
- 3/18/03 – WebDAV. (publicly available information)
- 12/9/99 – Solaris sadmind (credit: Steve Christey)
- 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
- 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
- 11/2/88 – Sendmail (credit: David Goldsmith, Matasano)
- 11/2/88 – Fingerd (credit: David Goldsmith, Matasano)
Honorable Mention (which don't quite make the list because the
vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Definitions:
Undercover Vulnerability: A vulnerability that was generally
unknown (e.g. not published on any lists, not discussed by "above
ground" security folks) until it was actively exploited in the wild.
The vulnerability was discovered through evidence of tampering or other
means, not through the usual bugfinding ritual.
Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.
*Note: the "credit" given is not to the person who discovered the
exploit/vuln, but to the person who pointed me in the right direction.
Thanks, all.
“Undercover”? I’ve never heard that term before in relation to a vulnerability or exploit… Don’t you mean “0day”? If so, why are you trying to coin new terminology for things which already have well-established terminology for them?
Fun Fact: Once it’s discovered in the wild and disclosed to the public, such as to a ‘undercover list page’, it’s no longer 0day.
@Druid -
I think 0day would have been a great term except it got abused a few years back and so now people think of something other than what I mean. Many people consider “0day vulnerabilities” those vulnerabilities that don’t have a patch available when they are disclosed, regardless of how they are discovered. (There are plenty of so-called “0days” that have never actually been exploited.)
I think “0day vulnerability” is a misnomer because 0day implies an attack, not simply a vuln.
Anyway, undercover vulnerabilities are only those vulns that were identified due to exploits in the wild – a subset of the common 0day definition (though I would dispute the notion that it is well-established).
Undercover Exploits and Vulnerabilities – 10-27-08
Looks like we have a confirmed addition to the undercover exploit list (old list). That makes 21 total since 1988. 10/27/08 – MS08-067 RPC vulnerability (public info). 11/23/07 – Xunlei Thunder PPlayer ActiveX control (credit: Symantec*) 4/5/07 – DNS R…