lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200310302323.h9UNN1K389753@milan.maths.usyd.edu.au>
Date: Fri, 31 Oct 2003 10:23:01 +1100 (EST)
From: psz@...hs.usyd.edu.au (Paul Szabo)
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com, thor@...x.com,
   was@...romedia.com
Subject: RE: Internet Explorer and Opera local zone restriction bypass


Thor Larholm <thor@...x.com> wrote:

>> Storing in an unpredictable location might help.
>> Obfuscation does not: instead of setting a cookie
>> of BadThing, the attacker could set one that will
>> become BadThing. The need to reverse-engineer the
>> obfuscation, and details like possible character
>> sets, are a minor hindrance only.
>> Security by obscurity does not work.
> 
> If you had followed the debate in detail ...

I did: see

  http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#IExplore

> ... there is absolutely no reverse-engineering that will convince IE to
> render a BAE-64 encoded string as HTML.

Huh? Cannot the encoded string look like valid HTML? - Did you mean BASE64?
Are you sure Macromedia will choose that? Can you trust IE not to attempt
BASE64 decoding, if it notices that is how the content is encoded? After
all it is so user-friendly... - Macromedia should not use BASE64, but any
other (proprietary, unusual, just-for-this-purpose) encoding; maybe simply
prepend the stored content with a few non-text bytes.

> ... Loading a locally residing file in a window object brings nothing new
> into the world of IE exploits ...

So you agree that it is idiotic to trust local files? - In fact, IE does
not trust local files: it excludes the TIF. Does it simply suffer from the
"ban known bad" instead of "allow known good" syndrome? Should it exclude
the Macromedia locations also? Should it be made suspicious by default,
trusting a few "known good" locations like \winnt only?

> There is no obscurity being promised here, just an additional layer of
> security ...

An additional layer of obfuscated false sense of security.

> ... all we want is to avoid having Flash used as an automated transport
> mechanism of data from the Internet Zone to any local security zones.

"We"? You seem to be confused: you sold your soul to the Devil (aka MS),
not to Macromedia.

Only when IE fixes its cross-domain problems, and/or the problem of random
local files being in the trusted zone, will the issue be solved. It is very
kind of Macromedia to endeavour to work around the problem; attackers will
just choose a different mechanism.

Cheers,

Paul Szabo - psz@...hs.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ