lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Nov 2007 18:09:23 -0500 From: Steve Shockley <steve.shockley@...ckley.net> To: bugtraq@...urityfocus.com Subject: Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Valdis.Kletnieks@...edu wrote: >> An attacker who can convince an user to extract a specially crafted >> archive can overwrite arbitrary files with the permissions of the user >> running gtar. If that user is root, the attacker can overwrite any >> file on the system. > > Apparently, somebody at FreeBSD thinks "can be exploited if you trick the > user into doing something" is a valid attack vector. The difference is that I'd be surprised when I got 0wned by unpacking an archive, and not all that surprised when I got 0wned by running a random executable (script) file.
Powered by blists - more mailing lists