Secure Coding mailing list archives
Re: Re: DJB's students release 44 poorly-worded, overblown advisories
From: Crispin Cowan <crispin () immunix com>
Date: Wed, 22 Dec 2004 15:42:59 +0000
Paco Hope wrote: Then reconsider whether rtf2latex or abc2midi are really "remote exploits." I think it is safe to say that no one will have their email program or web browser set up to run 'abc2midi' as the default option when they click an ABC file (even though they could). Is this really remotely exploitable? It requires the user to save the file to a disk and run a special command on it. That depends on the configuration of "helper apps" in the mail and web clients. It is modern default to automatically open MS Office .doc files when you click on them. On many systems, there are actually system-wide defaults set that say "Foo is the designated application for opening .foo files", and the mail and web browsers will automatically start up the application and open the file. It would not surprise me to see a helper app for handling MIDI files, and while I have never heard of an ABC file until today, it appears to be a music format http://abc.sourceforge.net/abcMIDI/ and it would not surprise me if a non-trivial number of users have an ABC helper application defined, even if they do not know it, just because they installed a music editing package. I feel like your explanation backs out to a debate about what lengths we can "reasonably expect" someone to go to infect themselves. If clicking on an attachment and typing a password qualifies (which I think most of us will accept as reasonable), does "save this file to disk and run this command on it" also qualify? You are right, these marginal examples do highlight the fact that "remotely exploitable" is not black and white, but actually describes a continuum. Maybe it's just me, but I don't think filter programs like these x2y programs (he cited "abc2midi" and "rtf2latex2e" among others) qualify. If they are commonly configured as default helper apps, then they definitely do qualify. If they are only occasionally configured as default helper apps, then they marginally qualify. There's no way someone will have their web or mail software set up to run these converters as the default action. Uh huh. And no one would ever have a helper app defined for .PIF files either; who ever heard of that? :) The "ease" of exploit here doesn't come anywhere near the ease of exploiting, say, xmms or some other software that is highly likely to be the default application for a given content-type. That just narrows the number of vulnerable systems. It remains remotely exploitable for the people who do configure these helpers. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- [Fwd: DJB's students release 44 *nix software vulnerability advisories] Gadi Evron (Dec 18)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblownadvisories Paco Hope (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories dtalk-ml (Dec 20)
- <Possible follow-ups>
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Shea, Brian A (Dec 20)
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 20)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Crispin Cowan (Dec 21)