Bugtraq mailing list archives

Re: DJB's students release 44 *nix software vulnerability advisories

From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Tue, 21 Dec 2004 14:59:15 -0500 (EST)

On Mon, 20 Dec 2004, Jonathan T Rockway wrote:

Regarding local versus remote, look at it this way:  You have a 100%
secure system.  Then you install NASM.  Now a user FROM THE NETWORK can
send you some tainted assembly code for you to assemble and he can
compromise your account.


That's nonsense.  If you have /bin/sh installed, I can send you a shell
script FROM THE NETWORK that will give me root access if you run it.
Therefore, every UNIX system on Earth has a remote hole, according to
your definition.

Now in regards to full disclosure, I think you should all be happy
that we bothered to tell you all about these exploits.  We could
have selfishly used them to compromise machines, but instead we
wrote them up and mailed them off to the users and the authors!


Could you have?  How, pray tell, would you compromise a machine with
the NASM exploit?  Even if you have a local account, the NASM exploit
lets you run arbitrary code as... yourself.  Big deal.

--
David.

Current thread:

Re: DJB's students release 44 *nix software vulnerability advisories, (continued)
- - - Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 24)
    - Message not available
    - Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories Jonathan T Rockway (Dec 21)
  - Re: DJB's students release 44 *nix software vulnerability advisories milw0rm Inc. (Dec 21)
    - Re: DJB's students release 44 *nix software vulnerability advisories Antoine Martin (Dec 21)
    - Re: DJB's students release 44 *nix software vulnerability advisories Chris Paget (Dec 22)
    - Re: DJB's students release 44 *nix software vulnerability advisories Jack Lloyd (Dec 22)
  - Re: DJB's students release 44 *nix software vulnerability advisories Dave Holland (Dec 21)
    - Re: DJB's students release 44 *nix software vulnerability advisories sean (Dec 22)
  - Re: DJB's students release 44 *nix software vulnerability advisories Thor (Dec 21)
  - Re: DJB's students release 44 *nix software vulnerability advisories David F. Skoll (Dec 21)
    - Re: DJB's students release 44 *nix software vulnerability advisories Jonathan Rockway (Dec 22)
    - Re: DJB's students release 44 *nix software vulnerability advisories Casper . Dik (Dec 22)
    - Re: DJB's students release 44 *nix software vulnerability advisories Michal Zalewski (Dec 23)
    - Re: DJB's students release 44 *nix software vulnerability advisories Valdis . Kletnieks (Dec 22)
  - Re: DJB's students release 44 *nix software vulnerability advisories laffer1 (Dec 21)
    - Re: DJB's students release 44 *nix software vulnerability advisories Jonathan Rockway (Dec 22)
  - Re: DJB's students release 44 *nix software vulnerability advisories Stephen Harris (Dec 21)
  - Re: DJB's students release 44 *nix software vulnerability advisories Raymond M. Reskusich (Dec 21)
- RE: DJB's students release 44 *nix software vulnerability advisories Devin Ganger (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Steven M. Christey (Dec 22)

(Thread continues...)