Update: We have a new one, but it isn’t the new Apple QuickTime vulnerability, it is the Xunlei Thunder PPlayer ActiveX control vulnerability that was discovered in the wild on 11/23/07.
In a previous post listing undercover exploits, Richard Bejtlich suggests in a comment that I should keep this list as a separate page and keep it updated. I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?). Else, I’ll just periodically update as new vulns become available.
Incidentally, I am not aware of any since this April, so please provide me with details if you know of any that aren’t included. Note that this list is limited to exploits against packaged software and not websites or SaaS environments. (I am considering ways to address these in the future.)
19 20 total since 1988. No new additions since the last posting.
- 11/23/07 – Xunlei Thunder PPlayer ActiveX control (credit: Symantec)
- 4/5/07 – DNS RPC Vuln (confirmed by Bill O’Malley who also discovered it)
- 11/3/06 – XMLHTTP 4.0 ActiveX Control
- 9/23/06 – cPanel (credit: Dave via Adam, Ilja)
- 9/19/06 – Internet Explorer VML (public info)
- 9/3/06 – MS Word 0Day (Symantec)
- 8/16/06 – Ichitaro (Symantec)
- 7/11/06 – Powerpoint 0day. (public information)
- 12/29/05 – WMF. (public information)
- 2/7/05 – Mailman directory traversal. (credit: ilja van Sprundel)
- 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
- 11/16/04 – Twikis search.pm. (credit: ilja van Sprundel)
- 12/04/03 – Rsync. (credit: David Goldsmith, Matasano)
- 11/20/03 – do_brk() overflow. (credit: David Goldsmith, Matasano)
- 3/18/03 – WebDAV. (publicly available information)
- 12/9/99 – Solaris sadmind (credit: Steve Christey)
- 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
- 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
- 11/2/88 – Sendmail (credit: David Goldsmith, Matasano)
- 11/2/88 – Fingerd (credit: David Goldsmith, Matasano)
Honorable Mention (which don’t quite make the list because the
vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Definitions:
Undercover Vulnerability: A vulnerability that was generally
unknown (e.g. not published on any lists, not discussed by "above
ground" security folks) until it was actively exploited in the wild.
The vulnerability was discovered through evidence of tampering or other
means, not through the usual bugfinding ritual.
Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.
*Note: the "credit" given is not to the person who discovered the
exploit/vuln, but to the person who pointed me in the right direction.
Thanks, all.
“I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?).”
no idea about typepad’s capabilities, but if i were to do something similar to that (oh wait, i do) i’d use del.icio.us linkrolls… you’d miss out on the ability to do multiple links per bullet point though…
What about some other 0days that were not discussed, like the Apache exploits, OpenSSH and CVS exploits from the early 2000′s?
@sigsegv -
Thanks for the comment. If you have URLs you can send me with details, that would be great. In most cases, these turn out to be “zero days” (at least by today’s definition) but not undercover exploits – that is, the vulnerability was found by identifying an exploit in the wild.
I would love to have as complete a list as possible. Thanks.
Pete
Undercover Vulnerability List – Request for Updates
There has been a bit of activity on one of my old undercover vulnerability list pages. Here is the current list but I am fairly sure it is outdated. Note that these are undercover vulnerabilities that were discovered (by the good guys) via an exploit i…