[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a46d7eaa0905261148r518eaa3at6a29a3eb8dcd2618@mail.gmail.com>
Date: Tue, 26 May 2009 19:48:26 +0100
From: saphex <saphex@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FFSpy, a firefox malware PoC
ok
On Tue, May 26, 2009 at 4:08 PM, Shell Code <technobuster@...il.com> wrote:
> I would appreciate if you post replies to the list instead of sending
> it only to me. My comments inline.
>
> On Tue, May 26, 2009 at 5:10 PM, saphex <saphex@...il.com> wrote:
>>> I fail to understand what is new or interesting in this POC. If a
>>> person with malicious intent gains so much access to a system that he
>>> can put his files or firefox plugins, modify existing files, etc
>>
>> If you gain access to a system with the user that isn't administrator
>> (at least under systems that enforce user *differentiation*, read any
>> Linux flavour and Vista), you only have access to the users folder,
>> you can't install anything (especially under Linux). I guess this is
>> meant to be an alternative way of getting the job done.
>
> This is not true. You can carry out attacks of the same severity by
> gaining access to a Linux or Windows system as a user that isn't the
> administrator. Here are a few examples:
>
> 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so
> that it sends user's personal content (data, files, commands executed,
> etc.) from the system to a remote server.
>
> 2. Put a malicious executable file or script in the user's home
> directory and execute it from start up scripts (.bashrc,
> .bash_profile, etc.) so that the malicious executable file executes
> whenever the user logs in. Now this malicious file can send user's
> personal content to a remote server.
>
> 3. Modify or put plugins for other software to malicous stuff. Similar
> to point 1.
>
> 4. Override PATH settings, aliases, put scripts, etc. so that when the
> 'ls' now executes 'rm' or some other malicious command so that user
> ends up executing commands he did not intend to.
>
> 5. ... and much more ...
>
>>
>>> From the POC it seems that somehow the attacker has to gain physical
>>> access to the system or do some social engineering attack to fool the
>>> user in installing or modifying his existing plugins. The PoC does not
>>> explain how this is done.
>>
>> To you know the download and execute payload for exploits? Make an
>> application that changes the files, then use that payload in some
>> exploit. People just want everything done. Just click, download, use,
>> and call them self l33ts .
>>
>
> How is it any different from the attack scenarios I have explained in
> case of vim, emacs, KDE, GNome, Linux shell, etc.?
>
>> Maybe this is nothing new, but I think that the way to do it is new.
>> Because you don't install anything, and the point to be proven here is
>> that Firefox add-on system is security flawed from the very beginning.
>
> So, are you saying vim, emacs and the plugin system of every other
> software on the earth is security flawed from the very beginning?
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists