Re: Sending remote procedure calls through e-mail (RPC-Mail)

[Chris Kuethe <chris.kuethe () gmail com>]

On Wed, 20 Oct 2004 00:41:26 -0200, Cristiano Lincoln Mattos
<lincoln () tempest com br> wrote:
> On Wednesday 20 October 2004 00:27, Abe Usher wrote:
>
> what you have is basically unencrypted and weakly authenticated command
> execution on the system, since all you rely on is the secrecy of the "special
> account" and a simple passphrase -- both can be sniffed, or the account
> gathered from mail server logs. not exactly secure.

Something that just occurs to me: this is worse than telnetting in
using S/Key or other OTP system.

That's true even if you go with one time passwords in your messages.
If you're emailing the "reboot my entire empire" command back to your
world from a cybercafe, there's a not-insignificate chance that it
will get delayed a bit: stored then forwarded, buffered, spooled,
virus-scanned, etc. If some smtp relay operator along the way knows
that you do this, then suddenly they can do a dead-trivial man in the
middle attack. They can grab a couple of your one time passwords, and
make up some results to send back, they can edit your script, etc.

I'd feel mildly reassured by a more session-oriented protocol like
telnet or ssh; but only mildly, having heard of these crazy newfangled
things called bait-n-switch honeypots. ;) But then again you're not
targetting this as a general login mechanism.

The closest thing to RPC I'd trust email for is exchanging pgp keys
between keyservers

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave