Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH

From: Tavis Ormandy <taviso () gentoo org>
Date: Fri, 15 Dec 2006 01:21:55 +0000
On Thu, Dec 14, 2006 at 06:39:55PM -0600, David_Coffey () McAfee com wrote:

Gentoo Security Team,

This statement seems to contrast greatly your practice of not following
a "professional" responsible disclosure process; particularly, posting a
security issue only 8.5 hours after your initial report was confirmed by
McAfee and a mere 9 hours after you sent in your initial report.  



David, the issue had already been discussed in public as we informed
you. There is no point trying to bury an issue once it has already been
discussed in public, we issued an advisory to ensure that our users were
aware that the issue existed.


This is not generally considered "responsible" practice.  If you are not
already aware, there are many responsible disclosure guidelines and
practices which have been published, like those outlined at
http://www.oisafety.org/ (we are founding members and adhere to these
guidelines). 


Not everyone believes these guidelines are in everyones best interests. 


   In another matter, McAfee disagrees with your statement that this is
a "high" severity issue, as the privilege of the executed code is not
raised from the privileges of the executing user. In addition to this,
an attacker would have had to compromise the machine through another
mechanism in order to place the malicious library on the system.  


Well then you have a fundamental misunderstanding of the issue. Does an
attacker have to compromise your machine to get you to use your virus
scanner on an arbitrary file? No.

Your DT_RPATH tag instructs the dynamic loader to search the working
directory for shared libraries, if you scan an ELF DSO by invoking your
scanner on the file then executing arbitrary code is trivial. I sent you
a very clear example of this privately, including step-by-step
instructions on how to reproduce it. if you did not understand my
instructions, please contact me off-list and I will explain it in detail.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: