lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 27 Feb 2012 16:27:03 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Rich Pieri <ratinox@....edu>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>,
	"<bugtraq@...urityfocus.com>" <bugtraq@...urityfocus.com>
Subject: Re: pidgin OTR information leakage

On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri <ratinox@....edu> wrote:
> On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
>> I think you didn't understood the content of the advisory.
>> If there are 10 non-root users in an Ubuntu machine for example,
>> if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
>> can see what user 1 pidgin conversation.
>
>
> This is not what the OP or CVE describe:
>
>>> plaintext. This makes it possible for attackers that have gained
>>> user-level access on a host, to listen in on private conversations
>>> associated with the victim account.
>
> Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions.  It says nothing about me being able to snoop user2's sessions.  The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue.
>
I tend to agree with you, and question if that is in fact true (it may
well be, my apologies in advance). DBUS is on my list of things to
probe, prod, and attatck due to data sharing.

But I'd be really surprised if data was available across distinct user
sessions. Unix/Linux are usually very good a separating processes and
sessions so that data does not comingle.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists