Latest Addition (12 total since 1988):
- 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
Old List:
- 7/11/06 – Powerpoint "0day". (public information)
- 12/29/05 – WMF. (public information)
- 2/7/05 – Mailman directory traversal. (credit: ilja van Sprundel)
- 11/16/04 – Twikis search.pm. (credit: ilja van Sprundel)
- 12/04/03 – Rsync. (credit: David Goldsmith, Matasano)
- 11/20/03 – do_brk() overflow. (credit: David Goldsmith, Matasano)
- 3/18/03 – WebDAV. (publicly available information)
- 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
- 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
- 11/2/88 – Sendmail (credit: David Goldsmith, Matasano)
- 11/2/88 – Fingerd (credit: David Goldsmith, Matasano)
Honorable Mention (which don’t quite make the list because the vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Definitions (I have noticed that I am starting to mix my terms, so feel compelled to remind myself of these definitions. I better provide distinction, lest I get Richard Bejtlich on my tail.):
Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by "above ground" security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual.
Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.
CVE-1999-0977 is for an sadmind vulnerability that was first detected in the wild; the references demonstrate this:
http://www.security.nnov.ru/1999/december/sadmin.html
And on Tuesday Aug 8, 2006, advisory MS06-040 says “When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited” but also says that there had been no public disclosure. That makes it undercover in my book.
There are probably at least a dozen web application vulns that were exploited before disclosure, but only the vulnerability databases see that stuff buried in vendor forums, and since it’s only been a curiosity, so it hasn’t been tracked closely. I’ll notify you when I see them.
The MySpace Samy worm and other XSS worms probably count, but since that’s not in enterprise software, it might be a slightly different beast than what you’re talking about.
CVE-2006-2286 is for a PHP exploit that was discovered in the wild; see the extensive forum discussion at http://www.dokeos.com/forum/viewtopic.php?t=6848