Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Wed, 21 May 2014 06:57:22 -0700
On 21 May 2014 02:13, Project Un1c0rn <project.un1c0rn () yandex com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I really don't get those kind of arguments.



It's simple, if your exploit requires Administrator access, then it's
probably not a security issue. Filesystem ACLs are a supported
security boundary, being able to defeat them would be a legitimate and
important vulnerability. Inventing attacks that require them to fail
as a pre-requisite is like saying "If you can modify /etc/passwd,
then...".

Hopefully you agree that using your Administrator access to replace or
modify system files or settings is not a security issue.


If there's a risk that combined with some other flaw that can be
exploited later (dunno, dropping NEW exe in the root for eg.), fix the
risk.


The bug would be being able to defeat filesystem ACLs; if you have a
way of doing that without Administrator access, you have a security
bug. That doesn't need to be combined with anything else, it's a
serious vulnerability.


Security is not thinking, naaaah should be ok nobody can touch that
dir ... or noooo plain text passwords are OK because my db is on a
private network ...

Damn it ... No kidding there's thousands of systems out there
vulnerable because they think cloudflare protects them.

Think for yourself ... Hackers don't take you with one single point of
failure, they combine them.



Uh, Thanks, I'll keep that in mind.


- ---------

Project Un1c0rn
http://un1c0rn.net
http://unicorntufgvuhbi.onion

On 05/21/2014 06:10 AM, Tavis Ormandy wrote:

"Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:


Hi @ll,

several programs of the current Windows 7 driver software for the
"HP OfficeJet 6700" multifunction device execute a rogue program
C:\Program.exe




It sounds like a bug, but why is this a security issue? I can only
imagine two possible scenarios

1. You've somehow made the root parition FAT32, in which case
you're using a non-securable filesystem; Therefore not a security
issue. 2. You've set a bad ACL on the root directory, therefore
user error.

If you believe otherwise, please post details, as that would be an
interesting discovery.

Tavis.


_______________________________________________ Sent through the
Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
http://seclists.org/fulldisclosure/





-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: