To publish a DoS vector or not to publish?

Well, this is an interesting first post for me ; hello everyone. I've lurked for a good long while ... never posting, always reading. I figure this is a good place to ask this question. ( and a good post throwing some insight into me and what I do. )

I found a stability issue a while back - while working with a Linux server (I've tried + verified this on RHEL & Debian). If I do this certain thing, I can totally seize up the server ; I'm not sure if it freezes it fully or what - but it becomes very unresponsive ... and stays that way for a good long time. (As in until I get it rebooted. This is with what most people would consider a reasonably powered machine ; quad core xeon, standalone server ; idk how many gb of ram it had - at least 8gb - with normal usage doing what it does between 5-10% tops. Not exactly a bad machine. )

So this issue - uses an actual application (not a script) - and it requires some configuration by an admin, config which may or may not be considered a poor config. The application it involves - is something where it may seem intuitive & good to set up this poor config option. Authentication is required ... but potentially, it can be done by a low-privilege user.

My conundrum -is- this issue stems from what may be considered by some as poor planning & user error - not something the vendor/publisher should worry about, but it's really a powderkeg any way you look at it. The exploitation method is a fairly trivial & low-skill way to start havoc for anyone running a linux machine ... that happens to be running this application.

My gut says - publish. But I'm really on the fence for some time as to - do I take this to people - knowing it's a config issue ... or is it not worth anyone's time?

 

You might want to try this on LinuxQuestions:

http://www.linuxquestions.org

Wilders deals mostly with client-side security. NGRhodes or Mrkvonic might be able to help you with this (better than I can anyway), but I don't think there are a lot of people here doing Linux server stuff.

Re the problem. There are a lot of ways to make a Linux machine unresponsive from an unprivileged account, if the admin allows it. Forkbombs are probably the best known, but there are many others. Most of these can be prevented with proper configurations, which a lot of distributions do not ship with - probably in part because what is "proper" varies a lot from server to server. (Thus configuration management, etc.)

IOW, if this is not actually a bug, it probably is not much of a powderkeg. If on the other hand it really does involve incorrect behavior by a system component, people need to know about it. I don't have enough information to know which is the case though, and might not have enough expertise either.

Yeah - I would suggest trying this question on LinuxQuestions, and/or the Debian user forums at

http://forums.debian.net

Hope that helps.

 

If the program is acting in a way it shouldn't then I'm sure most developers would want to know about it (whenever it has to do with stability or security). If the condition seems unlikely to happen or not severe they might give it a low priority.

If you think there is something to this then I don't think anything bad can come from notifying the correct parties. In worst case scenario they forget to thank you and say that its not a bug or something like that?

 

The actual technique - exploits some normal behavior - and it's not something I think an admin would intend to happen.

It does sound low-priority, but it could likely be handled + fixed ; something the program might be doing wrong ... is causing the issue. It shouldn't be happening as far as I can tell.

But, very insightful, thank you both.