On Fri, 20 Sep 2002 19:35:43 +0200, Arnt Gulbrandsen wrote: > If I want to exploit something, the banner gives me what I want anyway. > "2002.328" is identification good enough for that. It's not good enough > for a reliable bug report.
If you are trying to exploit something as in "I know it is UW imapd, so my client will behave in such-and-such way", know that when such things have been discoved in the past, UW imapd's banner has radically changed in order to make that not work. If you are trying to exploit something as in "this identifies a vulnerable version", know that when such things have been discovered in the past, UW imapd has been changed to add honeypots specifically to catch such activity (and collect data for law enforcement) with no change in the banner. If necessary, UW imapd's banner can become some meaningless string such as "ready". Or become identical to another server's banner. And there are other servers which look a lot like UW imapd. Basically, it's not safe for any automated program to make assumptions based upon what appears in the banner, whether it's an ill-advised attempt to go beyond CAPABILITY to modify behavior, or an attempt to crack a system. ID, on the other hand, makes it safe.
