Friday, December 5, 2008

vuln report digestion

(note: this is NOT an article about responsible disclosure ;)

so i found some vulns in a commercial app a while back, and i've been working w/ the vendor to get them reported and fixed and all of that.

when i first tried to contact this reasonably large company my google search foo was weak, and i couldn't find the proper email address to report the vuln. so i started digging through the "contact us" phone numbers and making calls. after 2 hours of phone trees and transfers and being on hold, i went back to google and found the proper email address.

this is a company which makes IT products for businesses, and their security reporting contact info is buried deep enough in a page that what i found on google was someone asking my same question and someone else answering it.

so what happens if you try to do responsible disclosure on something outside the norm? how about the modem CSRF vuln disclosed by nathan the other day? here we have a consumer grade product produced by a big ass corp, and an attack which exploits default settings via one of the less well known web application attack vectors.

if you hit the contact us page at motorola.com to try to report this issue, you're relegated to the "general info" team. are they going to take this issue seriously? are they going to route it to the right people to get a firmware update made (to fix the retarded defaults) and a notice pushed out to consumers?

this may be an application level attack, and it may be against a non-traditional target, but the disclosure was pretty similar to dropping an 0day. anyone who read his blurb and has some tech skills could be out there owning gateways right now. and if you did it right you could potentially own a lot, which could lead to a lot of other attacks.

i'll go out on a limb and speculate that privately reporting this vuln to motorola would probably be more of a pain than i went through doing my recent disclosure.

it'd be nice to see companies that produce tech products or services putting security contact info on their main "contact us" pages to help researchers who want to privately report vulns but don't want it to be an arduous journey...

No comments: