Bugtraq mailing list archives
Re: DJB's students release 44 *nix software vulnerability advisories
From: "Raymond M. Reskusich" <reskusic () uiuc edu>
Date: Tue, 21 Dec 2004 14:14:59 -0600
On Mon, Dec 20, 2004 at 05:14:22PM -0600, Jonathan T Rockway wrote:
Two points. Regarding local versus remote, look at it this way: You have a 100% secure system. Then you install NASM. Now a user FROM THE NETWORK can send you some tainted assembly code for you to assemble and he can compromise your account. That is why it is considered remote. Local would mean that I, the attacker, need an account on the target machine to compromise the target account. In this nasm case, I do not need an account. That is why the wording "remote" was chosen.
What you really have is a local exploit that you can sometimes trick a person into executing for you. Not the same thing as a remote exploit. You as a remote user have no way of compomising the system without first penetrating the system in some other way. Just because there is a social engineering method to achieve this penetration does not make this a remote exploit. I might add that if a person is assembling an untrusted piece of assembly code, there is a decent chance that he is planning on executing it.
Now in regards to full disclosure, I think you should all be happy that we bothered to tell you all about these exploits. We could have selfishly used them to compromise machines, but instead we wrote them up and mailed them off to the users and the authors! That is very nice of us.
Yeah, you know, if the choice is between criminal activity and this kind of announcement, you did ok, but I think we all assume that people in the security community want to actually protect users from security problems. Assuming that this is your goal, I think you can do better. -- Raymond M. Reskusich System Programmer/Administrator CITES/Engineering Workstation Group University of Illinois at Urbana-Champaign reskusic () uiuc edu pgp key id: D9D38030
Attachment:
_bin
Description:
Current thread:
- Re: DJB's students release 44 *nix software vulnerability advisories, (continued)
- Re: DJB's students release 44 *nix software vulnerability advisories Thor (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories David F. Skoll (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Jonathan Rockway (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Casper . Dik (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Michal Zalewski (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories Valdis . Kletnieks (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories laffer1 (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Jonathan Rockway (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Stephen Harris (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Raymond M. Reskusich (Dec 21)
- RE: DJB's students release 44 *nix software vulnerability advisories Devin Ganger (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Steven M. Christey (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories David Wagner (Dec 24)
- Re: DJB's students release 44 *nix software vulnerability advisories Steven M. Christey (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 23)
- RE: DJB's students release 44 *nix software vulnerability advisories Manning, Robert (Mission Systems) (Dec 22)
- RE: DJB's students release 44 *nix software vulnerability advisories Palmer, Paul (ISSAtlanta) (Dec 23)