lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041221201458.GA17337@kesey.ews.uiuc.edu>
Date: Tue, 21 Dec 2004 14:14:59 -0600
From: "Raymond M. Reskusich" <reskusic@...c.edu>
To: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories

On Mon, Dec 20, 2004 at 05:14:22PM -0600, Jonathan T Rockway wrote:
> Two points.
> 
> Regarding local versus remote, look at it this way:  You have a 100%
> secure system.  Then you install NASM.  Now a user FROM THE NETWORK can
> send you some tainted assembly code for you to assemble and he can
> compromise your account.  That is why it is considered remote.  Local
> would mean that I, the attacker, need an account on the target machine to
> compromise the target account.  In this nasm case, I do not need an
> account.  That is why the wording "remote" was chosen.

What you really have is a local exploit that you can sometimes trick a
person into executing for you.  Not the same thing as a remote
exploit.  You as a remote user have no way of compomising the system
without first penetrating the system in some other way.  Just because
there is a social engineering method to achieve this penetration does
not make this a remote exploit.

I might add that if a person is assembling an untrusted piece of
assembly code, there is a decent chance that he is planning on
executing it.

> 
> Now in regards to full disclosure, I think you should all be happy that we
> bothered to tell you all about these exploits.  We could have selfishly
> used them to compromise machines, but instead we wrote them up and mailed
> them off to the users and the authors!  That is very nice of us.

Yeah, you know, if the choice is between criminal activity and this
kind of announcement, you did ok, but I think we all assume that people
in the security community want to actually protect users from security
problems.  Assuming that this is your goal, I think you can do better.

-- 
Raymond M. Reskusich
System Programmer/Administrator
CITES/Engineering Workstation Group
University of Illinois at Urbana-Champaign
reskusic@...c.edu
pgp key id: D9D38030


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ