Full Disclosure mailing list archives
Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Wed, 21 May 2014 10:39:16 -0700
On 21 May 2014 10:01, coderaptor <coderaptor () gmail com> wrote:
If the fix is trivial, I'd rather fix it, regardless of the conclusion of "security-or-not" pissing match.
There are enough bugs in any non-trivial program to keep every developer busy for life, which is why it's so important to classify issues in order of severity. This way, limited developer resources can be applied for maximum effect. Good vendors let security issues jump the queue, which is why it's important to determine if something is a security issue or not. This is not a "pissing match", if an attacker gains a privilege they did not previously have, it's a security issue otherwise, your bug goes into the queue with the thousands of others.
I partially agree with Travis in the ACL argument, but also would like to note that half of humanity logs in a Windows machine as Administrator, as well as clicks on hyperlinks that purport to have photos of a nekkid celebrity.
Right, so this gains them nothing. So we have two classes of users (according to your definition) 1. The users who do not have Administrator privileges; These users cannot exploit this issue, because they can't write to C:\ 2. The users who do have Administrator privileges. These users can write to C:\, but why bother, they're already Administrators?
And it definitely does not look good on part of hp to dismiss the issue because they don't consider it worthy enough of a fix.
I doubt they're dismissing it, just not letting it jump to the front of the queue; Remember, as with all software projects, they have limited developer resources. This is a very minor bug, should they stop engineers working on high severity issues and assign them to this? There's no security impact, and an Administrator would have to deliberately break the system. If I was in charge, I'd tell them to fix real bugs that paying customers are reporting - not contrived issues like this. Of course, this changes if someone can demonstrate how to create C:\Program.exe without Administrator access. There certainly might be a bug somewhere that permits that, but that's the issue that needs to be fixed, not this one. That issue would be exploitable whether this bug existed or not. Tavis.
Let me guess - the logistics is a nightmare, hp probably has a n x m matrix that they'd have to issue fix for, which quickly explodes into upper two or even three digit numbers. -coderaptor On Wed, May 21, 2014 at 6:57 AM, Tavis Ormandy <taviso () cmpxchg8b com> wrote:On 21 May 2014 02:13, Project Un1c0rn <project.un1c0rn () yandex com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I really don't get those kind of arguments.It's simple, if your exploit requires Administrator access, then it's probably not a security issue. Filesystem ACLs are a supported security boundary, being able to defeat them would be a legitimate and important vulnerability. Inventing attacks that require them to fail as a pre-requisite is like saying "If you can modify /etc/passwd, then...". Hopefully you agree that using your Administrator access to replace or modify system files or settings is not a security issue.If there's a risk that combined with some other flaw that can be exploited later (dunno, dropping NEW exe in the root for eg.), fix the risk.The bug would be being able to defeat filesystem ACLs; if you have a way of doing that without Administrator access, you have a security bug. That doesn't need to be combined with anything else, it's a serious vulnerability.Security is not thinking, naaaah should be ok nobody can touch that dir ... or noooo plain text passwords are OK because my db is on a private network ... Damn it ... No kidding there's thousands of systems out there vulnerable because they think cloudflare protects them. Think for yourself ... Hackers don't take you with one single point of failure, they combine them.Uh, Thanks, I'll keep that in mind.- --------- Project Un1c0rn http://un1c0rn.net http://unicorntufgvuhbi.onion On 05/21/2014 06:10 AM, Tavis Ormandy wrote:"Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:Hi @ll, several programs of the current Windows 7 driver software for the "HP OfficeJet 6700" multifunction device execute a rogue program C:\Program.exeIt sounds like a bug, but why is this a security issue? I can only imagine two possible scenarios 1. You've somehow made the root parition FAT32, in which case you're using a non-securable filesystem; Therefore not a security issue. 2. You've set a bad ACL on the root directory, therefore user error. If you believe otherwise, please post details, as that would be an interesting discovery. Tavis. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/-- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
-- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Stefan Kanthak (May 20)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Tavis Ormandy (May 20)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Project Un1c0rn (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Tavis Ormandy (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Project Un1c0rn (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe coderaptor (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Tavis Ormandy (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Reindl Harald (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Michal Zalewski (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Stefan Kanthak (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Reindl Harald (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Michal Zalewski (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Mario Vilas (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Project Un1c0rn (May 21)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe Tavis Ormandy (May 20)
- Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe coderaptor (May 22)