lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 14 Jun 2009 14:38:35 -0400
From: T Biehn <tbiehn@...il.com>
To: RandallM <randallm@...mail.com>
Cc: funsec <funsec@...uxbox.org>, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Iphone

Randal,
I'm going to assume you're thinking of the mayhem-prone ActiveX
object/embed tags... No this is not how they work. It's fairly obvious
why it doesn't work that way.

They are standard e-mail attachments, the iphone mail proggy (though
an unknown mechanism) recognizes it has a reader enabled for them, and
offers that as an option.

It's very doubtful, when you take into account the surround, that this
is an exploitable vector.

Think I'm taking a logical leap?

You are, for example, hopeful that some file type has a registered
viewer that allows you to change settings... Nothing on the iPhone
works this way, this would not be the case, the programmers would
basically have to be arsed to write insecure code (a backdoor) rather
than necessity & ignorance breeding insecure code.

You will have much more luck working against Safari and the PDF Viewer
and providing links and malicious attachments.

-Travis

On Sun, Jun 14, 2009 at 9:37 AM, RandallM<randallm@...mail.com> wrote:
> Curious, any one on the list familiar with iPhone processes used for
> email hypertxt and picture view through email? What processes are used
> and called? Is it the basic same as IE and windows? Are there any
> documents written (going to google in a bit).
> There are a lot of "fun" features of the IPhone called and uses by
> apps that I was curious if could be reached through email not for
> havoc but fun. Of course that would also open a can of worms I
> suppose.
>
> It's an iPhone thing
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ