lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 31 Aug 2010 19:43:15 -0400
From: Valdis.Kletnieks@...edu
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, cmorris@...odu.edu,
	paul.szabo@...ney.edu.au
Subject: Re: DLL hijacking with Autorun on a USB drive

On Wed, 01 Sep 2010 00:59:06 +0200, Christian Sciberras said:
> > (and yes, "interpreted data" like shell scripts and Java .class files and Flash
> > are the sort of neither-fish-nor-fowl that give security models headaches, so
> > don't bother flaming about that. ;)
> OK. Also add exploits in non-executable data as well (such as a certain gif...).
> 
> What was your point again?

Are you seriously suggesting that just because errors in implementation happen
(such as malformed gifs leading to bugger overflows, etc), that it's OK to have
a totally broken security model that doesn't even *try* to get it right?

"Since you *might* be able to find a hole using user-supplied data, we'll just
assumed that you *did* find one, and we'll make it easy for you and just allow
you to provide your exploit code as totally untrusted files from an untrusted source".

Hmm.. where have I heard that before? Oh yes...

Mr Prosser (who was arguing with a spokesman for the bulldozer drivers about
whether or not Arthur Dent constituted a mental health hazard, and how much
they should get paid if he did) looked around. He was surprised and slightly
alarmed to find that Arthur had company.

"Yes? Hello?" he called. "Has Mr Dent come to his senses yet?"

"Can we for the moment," called Ford, "assume that he hasn't?"

"Well?" sighed Mr Prosser.

"And can we also assume," said Ford, "that he's going to be staying here all day?"

"So?"

"So all your men are going to be standing around all day doing nothing?"

"Could be, could be ..."

"Well, if you're resigned to doing that anyway, you don't actually need
him to lie here all the time do you?"

"What?"

"You don't," said Ford patiently, "actually need him here."

Mr Prosser thought about this.

"Well no, not as such...", he said, "not exactly need..." Prosser was
worried. He thought that one of them wasn't making a lot of sense.

Ford said, "So if you would just like to take it as read that he's
actually here, then he and I could slip off down to the pub for half an
hour. How does that sound?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ