lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20061215012155.GB26552@sdf.lonestar.org>
Date: Fri, 15 Dec 2006 01:21:55 +0000
From: Tavis Ormandy <taviso@...too.org>
To: David_Coffey@...fee.com
Cc: full-disclosure@...ts.grok.org.uk, security@...too.org
Subject: Re: [ GLSA 200612-15 ] McAfee VirusScan: Insecure
	DT_RPATH

On Thu, Dec 14, 2006 at 06:39:55PM -0600, David_Coffey@...fee.com wrote:
> Gentoo Security Team,
> 
> This statement seems to contrast greatly your practice of not following
> a "professional" responsible disclosure process; particularly, posting a
> security issue only 8.5 hours after your initial report was confirmed by
> McAfee and a mere 9 hours after you sent in your initial report.  
> 

David, the issue had already been discussed in public as we informed
you. There is no point trying to bury an issue once it has already been
discussed in public, we issued an advisory to ensure that our users were
aware that the issue existed.

> This is not generally considered "responsible" practice.  If you are not
> already aware, there are many responsible disclosure guidelines and
> practices which have been published, like those outlined at
> http://www.oisafety.org/ (we are founding members and adhere to these
> guidelines). 

Not everyone believes these guidelines are in everyones best interests. 

>    In another matter, McAfee disagrees with your statement that this is
> a "high" severity issue, as the privilege of the executed code is not
> raised from the privileges of the executing user. In addition to this,
> an attacker would have had to compromise the machine through another
> mechanism in order to place the malicious library on the system.  

Well then you have a fundamental misunderstanding of the issue. Does an
attacker have to compromise your machine to get you to use your virus
scanner on an arbitrary file? No.

Your DT_RPATH tag instructs the dynamic loader to search the working
directory for shared libraries, if you scan an ELF DSO by invoking your
scanner on the file then executing arbitrary code is trivial. I sent you
a very clear example of this privately, including step-by-step
instructions on how to reproduce it. if you did not understand my
instructions, please contact me off-list and I will explain it in detail.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ