Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Wed, 21 May 2014 10:39:16 -0700
On 21 May 2014 10:01, coderaptor <coderaptor () gmail com> wrote:

If the fix is trivial, I'd rather fix it, regardless of the conclusion
of "security-or-not" pissing match.


There are enough bugs in any non-trivial program to keep every
developer busy for life, which is why it's so important to classify
issues in order of severity. This way, limited developer resources can
be applied for maximum effect.

Good vendors let security issues jump the queue, which is why it's
important to determine if something is a security issue or not. This
is not a "pissing match", if an attacker gains a privilege they did
not previously have, it's a security issue otherwise, your bug goes
into the queue with the thousands of others.



I partially agree with Travis in the ACL argument, but also would like
to note that half of humanity logs in a Windows machine as
Administrator, as well as clicks on hyperlinks that purport to have
photos of a nekkid celebrity.


Right, so this gains them nothing. So we have two classes of users
(according to your definition)

1. The users who do not have Administrator privileges; These users
cannot exploit this issue, because they can't write to C:\
2. The users who do have Administrator privileges. These users can
write to C:\, but why bother, they're already Administrators?


And it definitely does not look good on
part of hp to dismiss the issue because they don't consider it worthy
enough of a fix.


I doubt they're dismissing it, just not letting it jump to the front
of the queue; Remember, as with all software projects, they have
limited developer resources.

This is a very minor bug, should they stop engineers working on high
severity issues and assign them to this? There's no security impact,
and an Administrator would have to deliberately break the system. If I
was in charge, I'd tell them to fix real bugs that paying customers
are reporting - not contrived issues like this.

Of course, this changes if someone can demonstrate how to create
C:\Program.exe without Administrator access. There certainly might be
a bug somewhere that permits that, but that's the issue that needs to
be fixed, not this one. That issue would be exploitable whether this
bug existed or not.

Tavis.


Let me guess - the logistics is a nightmare, hp
probably has a n x m matrix that they'd have to issue fix for, which
quickly explodes into upper two or even three digit numbers.

-coderaptor

On Wed, May 21, 2014 at 6:57 AM, Tavis Ormandy <taviso () cmpxchg8b com> wrote:

On 21 May 2014 02:13, Project Un1c0rn <project.un1c0rn () yandex com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I really don't get those kind of arguments.



It's simple, if your exploit requires Administrator access, then it's
probably not a security issue. Filesystem ACLs are a supported
security boundary, being able to defeat them would be a legitimate and
important vulnerability. Inventing attacks that require them to fail
as a pre-requisite is like saying "If you can modify /etc/passwd,
then...".

Hopefully you agree that using your Administrator access to replace or
modify system files or settings is not a security issue.


If there's a risk that combined with some other flaw that can be
exploited later (dunno, dropping NEW exe in the root for eg.), fix the
risk.


The bug would be being able to defeat filesystem ACLs; if you have a
way of doing that without Administrator access, you have a security
bug. That doesn't need to be combined with anything else, it's a
serious vulnerability.


Security is not thinking, naaaah should be ok nobody can touch that
dir ... or noooo plain text passwords are OK because my db is on a
private network ...

Damn it ... No kidding there's thousands of systems out there
vulnerable because they think cloudflare protects them.

Think for yourself ... Hackers don't take you with one single point of
failure, they combine them.



Uh, Thanks, I'll keep that in mind.


- ---------

Project Un1c0rn
http://un1c0rn.net
http://unicorntufgvuhbi.onion

On 05/21/2014 06:10 AM, Tavis Ormandy wrote:

"Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:


Hi @ll,

several programs of the current Windows 7 driver software for the
"HP OfficeJet 6700" multifunction device execute a rogue program
C:\Program.exe




It sounds like a bug, but why is this a security issue? I can only
imagine two possible scenarios

1. You've somehow made the root parition FAT32, in which case
you're using a non-securable filesystem; Therefore not a security
issue. 2. You've set a bad ACL on the root directory, therefore
user error.

If you believe otherwise, please post details, as that would be an
interesting discovery.

Tavis.


_______________________________________________ Sent through the
Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
http://seclists.org/fulldisclosure/





--
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/




-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: