The Oldest Vulnerability Contest
Posted by jericho
What is the oldest documented vulnerability? As far as OSVDB is aware, it’s a tie between UNIX-V6 su File Descriptor Exhaustion Local Privilege Escalation and Sendmail Unspecified Multiple Security Issues (yes, we’d love to know the details of the Sendmail issues back then!). These were documented on August 23, 1981, well over 24 years ago.
I’m sure there are vulnerabilities that were discovered and published before that. Does anyone have a copy of the old ”Unix Bug List”? Some old t-file or email with an ancient vulnerability? Perhaps a changelog for a product as venerable as Sendmail? We want it, and we’ll reward you for it…
I’m not exactly sure what the reward will be yet. Maybe a gift certificate from one of your favorite shops, maybe some OSVDB swag, maybe something a little more silly, who knows. The rules of this contest:
- The information must be somewhat specific. Sendmail can get away with ‘multiple issues’ and remain vague due to the extensive history behind the program. We need to know some detail about the vulnerability. “BSD 0.83beta had a vulnerability” will not cut it.
- The vulnerability must be documented somewhere. No stories or second hand accounts will work. Changelogs, advisories, email or anything else that can help authenticate it is required.
- It must be a solid vulnerability. Concerns, weaknesses and best practices won’t work.
- Lastly, it must pass the general ‘BS’ test. If our cynical minds detect shenanigans, it doesn’t count.
That’s it! So, beat our two entries from August 23, 1981 and grab a minute of fame on this blog, our appreciation, bragging rights, and whatever reward we come up with. Mail submissions to moderators@osvdb.org.
http://csrc.nist.gov/publications/history/karg74.pdf
Starting PDF page 26.
1977, maybe? =)
The RSX20F operating system on the DECSYSTEM-20 was vulnerable to a denial of service.
http://www.columbia.edu/kermit/dec20.html http://www.columbia.edu/kermit/pdp10.html http://216.109.125.130/search/cache?p=rsx20f&sm=Yahoo%21+Search&toggle=1&ei=UTF-8&b=31&u=ftp.surfnet.nl/networking/kermit/d/k20mit.txt&w=rsx20f&d=P6IouQ0DL22V&icp=1&.intl=us http://216.239.51.104/search?q=cache:kFE12BZyNKUJ:www.inwap.com/pdp10/usenet/ttys+rsx20f&hl=en
I can find several references to this:
Goheen, S.M., and Fiske, R.S., OS/360 Computer Security Penetration Exercise, Mitre Corp., Bedford Mass., October 1972.
But I can’t find a copy. Anyone have it?
And from 1971:
Anderson, J.P., AF/ACS Computer Security Controls Study, ESD-TR-71-395, November 1971, James P. Anderson and Co., Fort Washington, PA, HQ Electronic Systems Division: Hanscom AFB, MA.
These references are cited by Ivan and Elias from a couple of years back: http://www.coresecurity.com/files/files/51/TheWeakestLinkRevisited.pdf
And yet another that rolls up a lot of these references, and includes the 1974 paper i referenced earlier: http://cnscenter.future.co.kr/resource/rsc-center/vendor-wp/ibm/RC22534.pdf
Here’s a confirmed 1972: http://csrc.nist.gov/publications/history/ande72.pdf
I am still working through all the mails and comments, but some really good stuff. The Multics paper (karg74) seems to contain 9 vulnerabilities by our standards. I am working through ande72 next, while reviewing all the other stuff. Keep them coming! Can anyone beat 1972 with a documented vulnerability? Displace Ryan Russell as the current champion?
The moth bug attack of 1945. Don’t know if this counts but it’s still worthy of noting in my opinion.
http://www.jamesshuggins.com/h/tek1/firstcomputerbug.html
As an update, Adam Shostack gave me a pointer a while back to the “TENEX Password Bug”. After reading up on this, I can’t pinpoint an exact date.. the best I see is multiple references to “early 1970’s”, and a well known TENEX paper being written in 1972. So for now, i’m dating this as 1972-01-01 and assigning this OSVDB 23199. This is currently the winner for the contest, but i’m still going through all the info sent in!