lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 21 Dec 2004 23:58:39 -0500
From: Valdis.Kletnieks@...edu
To: "David F. Skoll" <dfs@...ringpenguin.com>
Cc: Jonathan T Rockway <jrockw2@....edu>, bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories

On Tue, 21 Dec 2004 14:59:15 EST, "David F. Skoll" said:
> Could you have?  How, pray tell, would you compromise a machine with
> the NASM exploit?  Even if you have a local account, the NASM exploit
> lets you run arbitrary code as... yourself.  Big deal.

Do you audit every line of code you receive from the network?  Even for a
package the size of Apache or the X11 distribution?  And you miss the point -
if *I* can hand you a trojaned program that will run arbitrary code as
"yourself" *when I don't have a userid on your system*, I have a toehold on
your system.

Remember that "I get you to run arbitrary code as yourself" is the *primary*
way that spyware and zombie software get onto people's systems. So it's not
an academic moot point.

Having said that, running 'more' on the foo.S file will almost certainly show
up the exploit as a oddly formatted line.  What is *much* more likely to
actually work is.. Hmm.. thinking for a moment..

Yeah.. ship software with "optional MMX for speed" support, and have the package's
Makefile invoke gcc.  gcc will invoke the C preprocessor on the assembler source,
allowing for all sorts of #ifdef and #define magic to make the code look like
one thing but do another.

Probably take a *lot* longer for people to twig onto what was going on than the
Trojan that showed up in the Sendmail distrib and a number of other things a while
back - the ./configure script would compile-and-run a backdoor-shell program.

All the same, getting *any* program to execute arbitrary code other than what
the programmer intended is a *vulnerability*.  The fact that some social engineering
is required to actually *exploit* the hole doesn't change the fact that there's
still a hole.

If I dig a deep hole, with lots of pointy poisoned sticks at the bottom, and
cleverly concealed with netting, there's *still* a hole there even if I fail
to convince you to take a stroll with me down this trail, and oh would you
mind going first, there's a narrow spot here.....

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ