[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200412220458.iBM4wdBL009361@turing-police.cc.vt.edu>
Date: Tue, 21 Dec 2004 23:58:39 -0500
From: Valdis.Kletnieks@...edu
To: "David F. Skoll" <dfs@...ringpenguin.com>
Cc: Jonathan T Rockway <jrockw2@....edu>, bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories
On Tue, 21 Dec 2004 14:59:15 EST, "David F. Skoll" said:
> Could you have? How, pray tell, would you compromise a machine with
> the NASM exploit? Even if you have a local account, the NASM exploit
> lets you run arbitrary code as... yourself. Big deal.
Do you audit every line of code you receive from the network? Even for a
package the size of Apache or the X11 distribution? And you miss the point -
if *I* can hand you a trojaned program that will run arbitrary code as
"yourself" *when I don't have a userid on your system*, I have a toehold on
your system.
Remember that "I get you to run arbitrary code as yourself" is the *primary*
way that spyware and zombie software get onto people's systems. So it's not
an academic moot point.
Having said that, running 'more' on the foo.S file will almost certainly show
up the exploit as a oddly formatted line. What is *much* more likely to
actually work is.. Hmm.. thinking for a moment..
Yeah.. ship software with "optional MMX for speed" support, and have the package's
Makefile invoke gcc. gcc will invoke the C preprocessor on the assembler source,
allowing for all sorts of #ifdef and #define magic to make the code look like
one thing but do another.
Probably take a *lot* longer for people to twig onto what was going on than the
Trojan that showed up in the Sendmail distrib and a number of other things a while
back - the ./configure script would compile-and-run a backdoor-shell program.
All the same, getting *any* program to execute arbitrary code other than what
the programmer intended is a *vulnerability*. The fact that some social engineering
is required to actually *exploit* the hole doesn't change the fact that there's
still a hole.
If I dig a deep hole, with lots of pointy poisoned sticks at the bottom, and
cleverly concealed with netting, there's *still* a hole there even if I fail
to convince you to take a stroll with me down this trail, and oh would you
mind going first, there's a narrow spot here.....
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists