| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <537C6E4A.2090507@yandex.com> Date: Wed, 21 May 2014 11:13:46 +0200 From: Project Un1c0rn <project.un1c0rn@...dex.com> To: fulldisclosure@...lists.org Cc: Tavis Ormandy <taviso@...xchg8b.com> Subject: Re: [FD] Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I really don't get those kind of arguments. If there's a risk that combined with some other flaw that can be exploited later (dunno, dropping NEW exe in the root for eg.), fix the risk. Security is not thinking, naaaah should be ok nobody can touch that dir ... or noooo plain text passwords are OK because my db is on a private network ... Damn it ... No kidding there's thousands of systems out there vulnerable because they think cloudflare protects them. Think for yourself ... Hackers don't take you with one single point of failure, they combine them. - --------- Project Un1c0rn http://un1c0rn.net http://unicorntufgvuhbi.onion On 05/21/2014 06:10 AM, Tavis Ormandy wrote: > "Stefan Kanthak" <stefan.kanthak@...go.de> wrote: > >> Hi @ll, >> >> several programs of the current Windows 7 driver software for the >> "HP OfficeJet 6700" multifunction device execute a rogue program >> C:\Program.exe >> >> > > It sounds like a bug, but why is this a security issue? I can only > imagine two possible scenarios > > 1. You've somehow made the root parition FAT32, in which case > you're using a non-securable filesystem; Therefore not a security > issue. 2. You've set a bad ACL on the root directory, therefore > user error. > > If you believe otherwise, please post details, as that would be an > interesting discovery. > > Tavis. > > > _______________________________________________ Sent through the > Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: > http://seclists.org/fulldisclosure/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJTfG5JAAoJEK+8lBMTEzs6SbgP/0J4fjUxlCmfTqR13Pn4jqqo wSf1grhYnc0h/KffsAYolq4S4z40nrwu5L4+GnKSSHD20/18+Us09nHfwGExBcWI DpN6rghXzb9j8HRmka/Qdo/RKBW50iRBt5nkpY33GpflxuSIC4dvuXPVEVcCl0M3 0oYrnWqCk4Ar3KGIYcQwaldOtd0SVqDnDGo7lJEPQzgmM4bUQFbJK37GNqOrBFg+ yt6s5bbAi1RT/OMjtAhsFd7CqTIyi5G0m8k5H4x1rKg2Nb7X4f7Zc31eOzL95Hmm Az44kt9gLUvQB7oooThGu8YSARYlv4yMJllIDW0pLqWI2S7mPAQqfemorHv5lb8n 7eokdSlLqS2WmCRlztp+DUlh9i+hcNTtTfLwEbNULsRD7u/7MJyvK4hddVCNE+s3 KbuB3wnL9g838VrO6jl/GSWmNESKidkYUspJ5HTEcpAeYwenG23jCOpNRfU2seIO lW/eMTGc6BcZqM6Sm75EiOMPgZ13adYQ/LrPi+Nu5cE1qCitYpCb1BydQWyjRth/ sp4MjnCkA3XoLXUu6jaYsXvJoYZ8bYD983uoSyMXKpl1TlF4j7DlPtIW9Gz5KDB8 VdVtir7M+JKh231/tHFcje7pe6TzKPzdeQg1S9Qd7ATNjgjGLVU0eENb5WFNArez u3l+2DiEJecj6ObifK0t =IPJh -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists