Dailydave mailing list archives
Re: Sending remote procedure calls through e-mail (RPC-Mail)
From: Chris Kuethe <chris.kuethe () gmail com>
Date: Tue, 19 Oct 2004 22:00:06 -0600
On Wed, 20 Oct 2004 00:41:26 -0200, Cristiano Lincoln Mattos <lincoln () tempest com br> wrote:
On Wednesday 20 October 2004 00:27, Abe Usher wrote: what you have is basically unencrypted and weakly authenticated command execution on the system, since all you rely on is the secrecy of the "special account" and a simple passphrase -- both can be sniffed, or the account gathered from mail server logs. not exactly secure.
Something that just occurs to me: this is worse than telnetting in using S/Key or other OTP system. That's true even if you go with one time passwords in your messages. If you're emailing the "reboot my entire empire" command back to your world from a cybercafe, there's a not-insignificate chance that it will get delayed a bit: stored then forwarded, buffered, spooled, virus-scanned, etc. If some smtp relay operator along the way knows that you do this, then suddenly they can do a dead-trivial man in the middle attack. They can grab a couple of your one time passwords, and make up some results to send back, they can edit your script, etc. I'd feel mildly reassured by a more session-oriented protocol like telnet or ssh; but only mildly, having heard of these crazy newfangled things called bait-n-switch honeypots. ;) But then again you're not targetting this as a general login mechanism. The closest thing to RPC I'd trust email for is exchanging pgp keys between keyservers -- GDB has a 'break' feature; why doesn't it have 'fix' too? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Sending remote procedure calls through e-mail (RPC-Mail) Abe Usher (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) David Maynor (Oct 19)
- Message not available
- Fwd: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Kurt Seifried (Oct 19)
- Fwd: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Cristiano Lincoln Mattos (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Frank Knobbe (Oct 19)
- 'pr0jekt MAYHeM -- "~el8 team"' in full effect on the Daily Dave, etc =) robert (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Peter Busser (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) John Bryson (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Paul Wouters (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) John Bryson (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) John Bryson (Oct 20)