I have been slacking a bit here with the recent rash of client-side vulnerabilities (and false alarms). Might be missing a couple. Don’t know why the bugfinders aren’t finding these things… (just let it go 
).
Latest Additions:
- 9/19/06 – Internet Explorer VML (public info)
- 9/3/06 – MS Word 0Day (Symantec)
- 8/16/06 – Ichitaro (Symantec)
- 12/9/99 – Solaris sadmind (credit: Steve Christey)
Old List:
- 7/11/06 – Powerpoint "0day". (public information)
- 12/29/05 – WMF. (public information)
- 2/7/05 – Mailman directory traversal. (credit: ilja van Sprundel)
- 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
- 11/16/04 – Twikis search.pm. (credit: ilja van Sprundel)
- 12/04/03 – Rsync. (credit: David Goldsmith, Matasano)
- 11/20/03 – do_brk() overflow. (credit: David Goldsmith, Matasano)
- 3/18/03 – WebDAV. (publicly available information)
- 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
- 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
- 11/2/88 – Sendmail (credit: David Goldsmith, Matasano)
- 11/2/88 – Fingerd (credit: David Goldsmith, Matasano)
Honorable Mention (which don’t quite make the list because the vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Definitions (I have noticed that I am starting to mix my terms, so feel compelled to remind myself of these definitions. I better provide distinction, lest I get Richard Bejtlich on my tail.):
Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by "above ground" security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual.
Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.
*Note: the "credit" given is not to the person who discovered the exploit/vuln, but to the person who pointed me in the right direction. Thanks, all.
Undercover Vulnerability List – Request for Updates
There has been a bit of activity on one of my old undercover vulnerability list pages. Here is the current list but I am fairly sure it is outdated. Note that these are undercover vulnerabilities that were discovered (by the good guys) via an exploit i…