Full Disclosure mailing list archives
Re: [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH
From: Tavis Ormandy <taviso () gentoo org>
Date: Fri, 15 Dec 2006 01:21:55 +0000
On Thu, Dec 14, 2006 at 06:39:55PM -0600, David_Coffey () McAfee com wrote:
Gentoo Security Team, This statement seems to contrast greatly your practice of not following a "professional" responsible disclosure process; particularly, posting a security issue only 8.5 hours after your initial report was confirmed by McAfee and a mere 9 hours after you sent in your initial report.
David, the issue had already been discussed in public as we informed you. There is no point trying to bury an issue once it has already been discussed in public, we issued an advisory to ensure that our users were aware that the issue existed.
This is not generally considered "responsible" practice. If you are not already aware, there are many responsible disclosure guidelines and practices which have been published, like those outlined at http://www.oisafety.org/ (we are founding members and adhere to these guidelines).
Not everyone believes these guidelines are in everyones best interests.
In another matter, McAfee disagrees with your statement that this is a "high" severity issue, as the privilege of the executed code is not raised from the privileges of the executing user. In addition to this, an attacker would have had to compromise the machine through another mechanism in order to place the malicious library on the system.
Well then you have a fundamental misunderstanding of the issue. Does an attacker have to compromise your machine to get you to use your virus scanner on an arbitrary file? No. Your DT_RPATH tag instructs the dynamic loader to search the working directory for shared libraries, if you scan an ELF DSO by invoking your scanner on the file then executing arbitrary code is trivial. I sent you a very clear example of this privately, including step-by-step instructions on how to reproduce it. if you did not understand my instructions, please contact me off-list and I will explain it in detail. Thanks, Tavis. -- ------------------------------------- taviso () sdf lonestar org | finger me for my pgp key. -------------------------------------------------------
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH Sune Kloppenborg Jeppesen (Dec 13)
- <Possible follow-ups>
- Re: [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH David_Coffey (Dec 14)
- Re: [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH Tavis Ormandy (Dec 14)