lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 18 Oct 2015 08:38:06 -0200
From: Fernando Mercês <nandu88@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

RarLab answer: http://www.rarlab.com/vuln_sfx_html.htm

I don't think the work is useless... You probably learnt a lot writing this
guide and PoC code, but in fact an EXE can be manipulated in many ways to
run smaller pieces of code. There is no need to find a bug to do that. ;)


Att,

Fernando Mercês
mentebinaria.com.br <http://www.mentebinaria.com.br>
---------------------------

On Wed, Oct 7, 2015 at 3:16 PM, Shawn McMahon <syberghost@...il.com> wrote:

> On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kanthak@...go.de>
> wrote:
>
> >
> > That's why giving unsuspecting users *.EXE to install a software package
> > or to unpack an archive and thus training them to run almost anything
> > they get their hands on is a BLOODY STUPID idea in the first place.
> >
> > ALWAYS use the platforms native package or archive formats to distribute
> > your software or files!
> >
>
> Perhaps it's my ignorance talking, but I just don't see how:
>
> "Run this EXE that might contain bad stuff" is worse than:
>
> "Install this .msi as Admin that might contain bad stuff" or "install this
> RPM as root that might contain bad stuff" or "install this .pkg as root
> that might contain bad stuff."
>
> The vulnerability is installing things when you don't know what they are or
> where they came from, not the particular form in which they're packaged. If
> it's got a GUI, clicking on its packages is going to prompt you to escalate
> privileges and install them.
>
> If I'm missing something, drop some knowledge on me and I'll install it.
> Even if it's not signed. :)
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ