oss-sec mailing list archives
Re: CVE request: rufus
From: Pete Batard <pete () akeo ie>
Date: Thu, 31 May 2018 17:42:42 +0100
Hi Stefan,Thank you very much for your very depreciative and less than informative report.
Since a vulnerability report works a lot better with an actual exploitation scenario conducted with the actual application, that we can look into, we will be waiting on that from you.
Also, FYI, we did apply mitigation for #1 (DLL sideloading attacks) very shortly after the time it became publicized:
https://github.com/pbatard/rufus/commit/8473e9ef561295fd10dd9526010c1fd1cb1e6701And of course, with proper non disparaging involvement of security researchers, who subscribe to the established responsible disclosure policy of their profession, we are always eager to improve on our mitigation fixes, if it turns out they aren't adequate.
However, we would appreciate if you refrained from jumping to erroneous conclusion about Rufus development being conducted by "bloody beginners", when it is clear that some of the "beginner's" vulnerabilities you list have long had some mitigation factors applied.
All the best, /Pete On 2018.05.31 17:05, Stefan Kanthak wrote:
Hi @ll, like its predecessors, the recently (2018-05-29) published version 3.0 of "Rufus" (<https://rufus.akeo.ie/downloads/rufus-3.0.exe> and <https://rufus.akeo.ie/downloads/rufus-3.0p.exe>) is riddled with bloody beginners errors, which allow arbitrary code execution WITH escalation of privilege. Vulnerability #1 ~~~~~~~~~~~~~~~~ See <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Additionally see Microsoft's developer guidance <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> und <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> for avoiding this bloody beginner's error. Also see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html> and <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> plus <https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html> for "prior art". Vulnerability #2 ~~~~~~~~~~~~~~~~ See <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> plus <https://capec.mitre.org/data/definitions/29.html> stay tuned Stefan Kanthak
Current thread:
- CVE request: rufus Stefan Kanthak (May 31)
- Re: CVE request: rufus Pete Batard (May 31)
- Re: CVE request: rufus Stefan Kanthak (May 31)
- Re: CVE request: rufus Solar Designer (May 31)
- Re: CVE request: rufus Pete Batard (May 31)
- Re: CVE request: rufus Stefan Kanthak (Jun 01)
- Re: Re: CVE request: rufus Henri Salo (Jun 01)
- Re: Re: CVE request: rufus Lionel Debroux (Jun 01)
- Re: CVE request: rufus Stefan Kanthak (May 31)
- Re: CVE request: rufus Pete Batard (May 31)