[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+YQQ6VrGt5Y1MxGfLxOnYWnq0qDeG=gGAXN5Hv+wvtyZ_LC0g@mail.gmail.com>
Date: Wed, 21 May 2014 10:39:16 -0700
From: Tavis Ormandy <taviso@...xchg8b.com>
To: coderaptor <coderaptor@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Beginners error: Hewlett-Packards driver software executes
rogue binary C:\Program.exe
On 21 May 2014 10:01, coderaptor <coderaptor@...il.com> wrote:
> If the fix is trivial, I'd rather fix it, regardless of the conclusion
> of "security-or-not" pissing match.
There are enough bugs in any non-trivial program to keep every
developer busy for life, which is why it's so important to classify
issues in order of severity. This way, limited developer resources can
be applied for maximum effect.
Good vendors let security issues jump the queue, which is why it's
important to determine if something is a security issue or not. This
is not a "pissing match", if an attacker gains a privilege they did
not previously have, it's a security issue otherwise, your bug goes
into the queue with the thousands of others.
>
> I partially agree with Travis in the ACL argument, but also would like
> to note that half of humanity logs in a Windows machine as
> Administrator, as well as clicks on hyperlinks that purport to have
> photos of a nekkid celebrity.
Right, so this gains them nothing. So we have two classes of users
(according to your definition)
1. The users who do not have Administrator privileges; These users
cannot exploit this issue, because they can't write to C:\
2. The users who do have Administrator privileges. These users can
write to C:\, but why bother, they're already Administrators?
> And it definitely does not look good on
> part of hp to dismiss the issue because they don't consider it worthy
> enough of a fix.
I doubt they're dismissing it, just not letting it jump to the front
of the queue; Remember, as with all software projects, they have
limited developer resources.
This is a very minor bug, should they stop engineers working on high
severity issues and assign them to this? There's no security impact,
and an Administrator would have to deliberately break the system. If I
was in charge, I'd tell them to fix real bugs that paying customers
are reporting - not contrived issues like this.
Of course, this changes if someone can demonstrate how to create
C:\Program.exe without Administrator access. There certainly might be
a bug somewhere that permits that, but that's the issue that needs to
be fixed, not this one. That issue would be exploitable whether this
bug existed or not.
Tavis.
> Let me guess - the logistics is a nightmare, hp
> probably has a n x m matrix that they'd have to issue fix for, which
> quickly explodes into upper two or even three digit numbers.
>
> -coderaptor
>
> On Wed, May 21, 2014 at 6:57 AM, Tavis Ormandy <taviso@...xchg8b.com> wrote:
>> On 21 May 2014 02:13, Project Un1c0rn <project.un1c0rn@...dex.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> I really don't get those kind of arguments.
>>>
>>
>> It's simple, if your exploit requires Administrator access, then it's
>> probably not a security issue. Filesystem ACLs are a supported
>> security boundary, being able to defeat them would be a legitimate and
>> important vulnerability. Inventing attacks that require them to fail
>> as a pre-requisite is like saying "If you can modify /etc/passwd,
>> then...".
>>
>> Hopefully you agree that using your Administrator access to replace or
>> modify system files or settings is not a security issue.
>>
>>> If there's a risk that combined with some other flaw that can be
>>> exploited later (dunno, dropping NEW exe in the root for eg.), fix the
>>> risk.
>>
>> The bug would be being able to defeat filesystem ACLs; if you have a
>> way of doing that without Administrator access, you have a security
>> bug. That doesn't need to be combined with anything else, it's a
>> serious vulnerability.
>>
>>> Security is not thinking, naaaah should be ok nobody can touch that
>>> dir ... or noooo plain text passwords are OK because my db is on a
>>> private network ...
>>>
>>> Damn it ... No kidding there's thousands of systems out there
>>> vulnerable because they think cloudflare protects them.
>>>
>>> Think for yourself ... Hackers don't take you with one single point of
>>> failure, they combine them.
>>>
>>
>> Uh, Thanks, I'll keep that in mind.
>>
>>> - ---------
>>>
>>> Project Un1c0rn
>>> http://un1c0rn.net
>>> http://unicorntufgvuhbi.onion
>>>
>>> On 05/21/2014 06:10 AM, Tavis Ormandy wrote:
>>>> "Stefan Kanthak" <stefan.kanthak@...go.de> wrote:
>>>>
>>>>> Hi @ll,
>>>>>
>>>>> several programs of the current Windows 7 driver software for the
>>>>> "HP OfficeJet 6700" multifunction device execute a rogue program
>>>>> C:\Program.exe
>>>>>
>>>>>
>>>>
>>>> It sounds like a bug, but why is this a security issue? I can only
>>>> imagine two possible scenarios
>>>>
>>>> 1. You've somehow made the root parition FAT32, in which case
>>>> you're using a non-securable filesystem; Therefore not a security
>>>> issue. 2. You've set a bad ACL on the root directory, therefore
>>>> user error.
>>>>
>>>> If you believe otherwise, please post details, as that would be an
>>>> interesting discovery.
>>>>
>>>> Tavis.
>>>>
>>>>
>>>> _______________________________________________ Sent through the
>>>> Full Disclosure mailing list
>>>> http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
>>>> http://seclists.org/fulldisclosure/
>>>>
>>
>>
>>
>> --
>> -------------------------------------
>> taviso@...xchg8b.com | pgp encrypted mail preferred
>> -------------------------------------------------------
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
--
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists