Full Disclosure mailing list archives
RE: Edonkey/Overnet Plugins Could Pose Harm
From: "ashton" <ashton () joltmedia com>
Date: Wed, 17 Dec 2003 10:47:41 -0500
My attempt is to get MetaMachine to make them all be SIGNED before they can be loaded, it's a P2P app and would have 1.2 million+ times the effects of an WMP plugin, perhaps you took it wrong. My COM statement was that any dumbarse can write something in MFC to be harmful but when it is pure C++ and COM it's not as easy, MFC gives virus writers or n00bs an easy route at creating these plugins. So my goal is what I first stated, you cannot compare WMP or PS to Overnet w/ Plugins because Overnet has 1.2 million online users at your disposal instantly. You must look at it as a whole. -ashton -----Original Message----- From: petard [mailto:petard () freeshell org] Sent: Wednesday, December 17, 2003 10:04 AM To: ashton Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Edonkey/Overnet Plugins Could Pose Harm On Wed, Dec 17, 2003 at 12:11:38AM -0500, ashton wrote: <gross misunderstanding/ranting about plugins snipped> I don't get it. You wrote a long message about how running arbitrary code from an untrusted source on your PC is insecure. How is this different from any other common plugin architecture? You site the Windows Media SDK as an example that gets it write because it uses "COM" instead of what you refer to as "full c++ access", but you never differentiate between the two. COM objects can certainly be written in C++, and there is absolutely no sandbox to keep that code from doing malicious things. It simply must conform to a COM interface. If you believe that a malicious (for instance) Windows Media visualization plugin or a malicious photoshop plugin cannot do every nasty thing an edonkey plugin can, you are delusional. Here's a hypothetical example for Windows Media, your example of a safe SDK: STDMETHODIMP CMyVisualizer::Render(TimedLevel *pLevels, HDC hdc, RECT *prc) { //Check for our malicious process if( !isHelperRunning() ) { launchEvilHelperProcess(); } // Proceed to draw pretty pictures so that the moron who downloaded // and executed this arbitrary code while thinking it was safe since // it exported a COM interface suspects nothing doRender( pLevels, hdc, prc ); } I'll leave the implementation of isHelperRunning() and launchEvilHelperProcess() to your imagination, but suffice to say code that's running here is in no way restricted by the fact that the interface used to invoke it is defined by a particular IDL file and conforms to the COM specification. To have a reasonable shot at "safe" plugins, you'd really need some sort of sandboxing system akin to java's. Even then, as we've all seen, it's hard to get right. No common app that I can think of attempts this. In short, it doesn't matter what application starts your arbitrary code. You could write a malicious plugin for netscape, photoshop, quark, WMP, anything that takes true executable code for plugins. Most plugin systems do. Furthermore, few if any provide some sort of clearinghouse to vet plugins and declare them safe. Don't run it unless you trust it. It is, for all (good and evil) purposes nothing more then executable code that is launched and communicates in a specified way. So my question remains: How is eDonkey worse than these others? Regards, petard _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Edonkey/Overnet Plugins Could Pose Harm ashton (Dec 16)
- Re: Edonkey/Overnet Plugins Could Pose Harm petard (Dec 17)
- RE: Edonkey/Overnet Plugins Could Pose Harm ashton (Dec 17)
- <Possible follow-ups>
- RE: Edonkey/Overnet Plugins Could Pose Harm ashton (Dec 17)
- Re: Edonkey/Overnet Plugins Could Pose Harm petard (Dec 17)