Re: Vulnerability Disclosure

[Valdis.Kletnieks () vt edu]

On Thu, 07 Jun 2007 05:21:06 PDT, Jonathan Leffler said:
> Wouldn't the person be able to do those things anyway?  So, is there an
> actual risk of exploitation by someone unauthorized?  If the person
> installing has the privileges to abuse their system and then subverts an
> installer into abusing their system, how much of a problem is it really?

The *real* attack vector here is "Can you, as an outsider, get the sysadmin
to run a installer script that *looks* OK at first glance, but ends up
doing something untoward by abusing the setup.exe that the sysadmin sees
in the script but doesn't actually look closely at"?

export LICENSE_KEY=`cat license.file`;
setup.exe

is a good way to get a blob of binary data into the environment without
too much scrutiny... now if you can get setup.exe to branch to it.. ;)

The *other* corner case to consider - the person has the privs, but is
untrustworthy, but wants to plant a backdoor for a co-conspirator without
the command audit trail showing anything untoward.  "Hey, I didn't do it,
I just ran setup.exe to install the program.  Take a look at the audit trail,
that's the only thing I ran..."

Attachment: _bin
Description: