Re: Re: DJB's students release 44 poorly-worded, overblown advisories

[Crispin Cowan <crispin () immunix com>]

Paco Hope wrote:


Then reconsider whether rtf2latex or abc2midi are really "remote exploits."
I think it is safe to say that no one will have their email program or web
browser set up to run 'abc2midi' as the default option when they click an
ABC file (even though they could). Is this really remotely exploitable? It
requires the user to save the file to a disk and run a special command on
it.
 

That depends on the configuration of "helper apps" in the mail and web 
clients. It is modern default to automatically open MS Office .doc files 
when you click on them. On many systems, there are actually system-wide 
defaults set that say "Foo is the designated application for opening 
.foo files", and the mail and web browsers will automatically start up 
the application and open the file. It would not surprise me to see a 
helper app for handling MIDI files, and while I have never heard of an 
ABC file until today, it appears to be a music format 
http://abc.sourceforge.net/abcMIDI/ and it would not surprise me if a 
non-trivial number of users have an ABC helper application defined, even 
if they do not know it, just because they installed a music editing package.



I feel like your explanation backs out to a debate about what lengths we can
"reasonably expect" someone to go to infect themselves. If clicking on an
attachment and typing a password qualifies (which I think most of us will
accept as reasonable), does "save this file to disk and run this command on
it" also qualify?
 

You are right, these marginal examples do highlight the fact that 
"remotely exploitable" is not black and white, but actually describes a 
continuum.



Maybe it's just me, but I don't think filter programs like these x2y
programs (he cited "abc2midi" and "rtf2latex2e" among others) qualify.
 

If they are commonly configured as default helper apps, then they 
definitely do qualify. If they are only occasionally configured as 
default helper apps, then they marginally qualify.



There's no way someone will have their web or mail software set up to run
these converters as the default action.

Uh huh. And no one would ever have a helper app defined for .PIF files 
either; who ever heard of that? :)



The "ease" of exploit here doesn't come anywhere near the ease of
exploiting, say, xmms or some other software that is highly likely to be the
default application for a given content-type.
 

That just narrows the number of vulnerable systems. It remains remotely 
exploitable for the people who do configure these helpers.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com