Vulnerability Development mailing list archives
Re: Vulnerability Disclosure
From: Jonathan Leffler <jleffler () us ibm com>
Date: Fri, 8 Jun 2007 11:33:21 -0600
Valdis.Kletnieks () vt edu wrote on 06/08/2007 10:10:14 AM:
On Thu, 07 Jun 2007 05:21:06 PDT, Jonathan Leffler said:Wouldn't the person be able to do those things anyway? So, is there
an
actual risk of exploitation by someone unauthorized? If the person installing has the privileges to abuse their system and then subverts
an
installer into abusing their system, how much of a problem is it
really?
The *real* attack vector here is "Can you, as an outsider, get the
sysadmin
to run a installer script that *looks* OK at first glance, but ends up doing something untoward by abusing the setup.exe that the sysadmin sees in the script but doesn't actually look closely at"? export LICENSE_KEY=`cat license.file`; setup.exe is a good way to get a blob of binary data into the environment without too much scrutiny... now if you can get setup.exe to branch to it.. ;) The *other* corner case to consider - the person has the privs, but is untrustworthy, but wants to plant a backdoor for a co-conspirator
without
the command audit trail showing anything untoward. "Hey, I didn't do
it,
I just ran setup.exe to install the program. Take a look at the audit
trail,
that's the only thing I ran..."
Interesting side-light - thanks. On Windows, I don't think I've ever done things like specially setting the environment before running an installer - certainly not where I don't trust the source of the information. Come to that, I don't do it on Unix either. The untrustworthy trusted insider is very difficult to deal with - regardless. It's one reason why I didn't say "some security problems are too small to be worth fixing". In a world with infinite resources, they'd all be fixed. However, they do have to be prioritized, and some security issues are more serious than others (and non-security issues need to be addressed too - and (too often?) have priority over security). A flaw that permits unauthenticated remote machine takeover is far more serious than a flaw that 'only' affects the 'installer only with cooperation from user'. I'd prioritize the unauth-remote flaw over the installer flaw every time, for multiple releases if necessary. Ideally, the installer flaw outlined originally would be fixed too, but I could imagine that lots of other things get prioritized higher - and resource limitations could prevent it from being fixed fast. -- Jonathan Leffler (jleffler () us ibm com) STSM, Informix Database Engineering, IBM Information Management Division 4100 Bohannon Drive, Menlo Park, CA 94025-1013 Tel: +1 650-926-6921 Tie-Line: 630-6921 "I don't suffer from insanity; I enjoy every minute of it!"
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Vulnerability Disclosure matt . steer (Jun 06)
- Re: Vulnerability Disclosure Steve Shockley (Jun 07)
- Re: Vulnerability Disclosure Mauro Flores (Jun 07)
- <Possible follow-ups>
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 07)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 08)
- Re: Vulnerability Disclosure Lincoln Yeoh (Jun 18)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)