Re: Re: DJB's students release 44 poorly-worded, overblownadvisories

["Paco Hope" <bhope () cigital com>]

On 12/20/04 1:03 PM, "Crispin Cowan" <[EMAIL PROTECTED]> wrote:
> > If they exploited notepad.exe when they activated would we announce a "remote
> > exploit" on notepad.exe? They exploit a buffer overflow in local software,
> > but they require action by the user before they can activate.
> The difference between a local and a remote exploit, in this context, is that
> a local exploit requires overt action on the part of the user, e.g. take these
> 7 steps to perform the local exploit. A remote exploit can include malicious
> content that you can e-mail to a naive user and reasonably expect them to do
> what is required to perform the exploit, such as "click on the attachment".

Then reconsider whether rtf2latex or abc2midi are really "remote exploits."
I think it is safe to say that no one will have their email program or web
browser set up to run 'abc2midi' as the default option when they click an
ABC file (even though they could). Is this really remotely exploitable? It
requires the user to save the file to a disk and run a special command on
it.

I feel like your explanation backs out to a debate about what lengths we can
"reasonably expect" someone to go to infect themselves. If clicking on an
attachment and typing a password qualifies (which I think most of us will
accept as reasonable), does "save this file to disk and run this command on
it" also qualify?

Maybe it's just me, but I don't think filter programs like these x2y
programs (he cited "abc2midi" and "rtf2latex2e" among others) qualify.
There's no way someone will have their web or mail software set up to run
these converters as the default action. Most systems won't even have the
vulnerable programs installed by default. The user has to save the hostile
payload to a file and has to type the command. They also have to type the
command with a modicum of correct syntax (perhaps not 100% correct, but at
least enough to get past the basic usage() check). Thus, they have to follow
some instructions from their attacker on how to get the software to run.

Even if we're debating reasonableness, I still disagree that these are so
easy you can just take it for granted that someone will have the software,
will save the file, and will execute the command with the vulnerable syntax.
If the user receives a file from an untrusted source, and follows a script
of commands (even though it may only be 2 or 3), I call this a social
engineering attack, not a remote exploit.

The "ease" of exploit here doesn't come anywhere near the ease of
exploiting, say, xmms or some other software that is highly likely to be the
default application for a given content-type.

Paco
-- 
Paco Hope, CISSP
Senior Software Security Consultant
Cigital, Inc. http://www.cigital.com/
[EMAIL PROTECTED] -- +1.703.585.7868



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------