Vuln Dev
Re: Vulnerability Disclosure Jun 07 2007 12:21PM
Jonathan Leffler (jleffler us ibm com) (1 replies)
Re: Vulnerability Disclosure Jun 08 2007 05:10PM
Valdis Kletnieks vt edu (2 replies)
Re: Vulnerability Disclosure Jun 16 2007 07:36PM
Lincoln Yeoh (lyeoh pop jaring my)
Re: Vulnerability Disclosure Jun 08 2007 05:33PM
Jonathan Leffler (jleffler us ibm com)
Valdis.Kletnieks (at) vt (dot) edu [email concealed] wrote on 06/08/2007 10:10:14 AM:
> On Thu, 07 Jun 2007 05:21:06 PDT, Jonathan Leffler said:
> > Wouldn't the person be able to do those things anyway? So, is there
an
> > actual risk of exploitation by someone unauthorized? If the person
> > installing has the privileges to abuse their system and then subverts
an
> > installer into abusing their system, how much of a problem is it
really?
>
> The *real* attack vector here is "Can you, as an outsider, get the
sysadmin
> to run a installer script that *looks* OK at first glance, but ends up
> doing something untoward by abusing the setup.exe that the sysadmin sees
> in the script but doesn't actually look closely at"?
>
> export LICENSE_KEY=`cat license.file`;
> setup.exe
>
> is a good way to get a blob of binary data into the environment without
> too much scrutiny... now if you can get setup.exe to branch to it.. ;)
>
> The *other* corner case to consider - the person has the privs, but is
> untrustworthy, but wants to plant a backdoor for a co-conspirator
without
> the command audit trail showing anything untoward. "Hey, I didn't do
it,
> I just ran setup.exe to install the program. Take a look at the audit
trail,
> that's the only thing I ran..."

Interesting side-light - thanks.

On Windows, I don't think I've ever done things like specially setting the
environment before running an installer - certainly not where I don't
trust the source of the information. Come to that, I don't do it on Unix
either.

The untrustworthy trusted insider is very difficult to deal with -
regardless. It's one reason why I didn't say "some security problems are
too small to be worth fixing". In a world with infinite resources, they'd
all be fixed. However, they do have to be prioritized, and some security
issues are more serious than others (and non-security issues need to be
addressed too - and (too often?) have priority over security). A flaw
that permits unauthenticated remote machine takeover is far more serious
than a flaw that 'only' affects the 'installer only with cooperation from
user'. I'd prioritize the unauth-remote flaw over the installer flaw
every time, for multiple releases if necessary. Ideally, the installer
flaw outlined originally would be fixed too, but I could imagine that lots
of other things get prioritized higher - and resource limitations could
prevent it from being fixed fast.

--
Jonathan Leffler (jleffler (at) us.ibm (dot) com [email concealed])
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"

0? *?H?÷
 ?0?´1 0 +0  *?H?÷
 ?40?0?l¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
980518000000Z
280801235959Z0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0?0
 *?H?÷
0?§?!t,çð?á?<!ñ?Û?é?ü¾_RÈÌ,V,¸i,Ì?­°?®yò9Á{?º
,èÂ?,ªié ôÇ©¤BÂ#OJØð¢û1lÉæo?'õæôLx?mëF?ú¹?ÉTò²Ä¯ÔFZÉ0ÿ
lõ-mÎw0
 *?H?÷
r.ùÑñqûÄ?öÅ^Q?@?¸hø??Ø❽ÿí¡æfê/ ôÊ×ê¥+?ö$`?MD.?¥Ä- Ó®xiorÚl®ðc?7æ»Ä0­wÌI5ªÏ؏Ѿ·?GsjT"4d-¶?Y[´QY:³ 
ôßg ô­2d^±Fr'?{ÅD´®0?0?l¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
980518000000Z
280801235959Z0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0?0
 *?H?÷
0?§?!t,çð?á?<!ñ?Û?é?ü¾_RÈÌ,V,¸i,Ì?­°?®yò9Á{?º
,èÂ?,ªié ôÇ©¤BÂ#OJØð¢û1lÉæo?'õæôLx?mëF?ú¹?ÉTò²Ä¯ÔFZÉ0ÿ
lõ-mÎw0
 *?H?÷
r.ùÑñqûÄ?öÅ^Q?@?¸hø??Ø❽ÿí¡æfê/ ôÊ×ê¥+?ö$`?MD.?¥Ä- Ó®xiorÚl®ðc?7æ»Ä0­wÌI5ªÏ؏Ѿ·?GsjT"4d-¶?Y[´QY:³ 
ôßg ô­2d^±Fr'?{ÅD´®0?,0?? :?7­ÈSEÈUK5?0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
030506000000Z
130505235959Z0ù1 0 UUS1402U
+International Business Machines Corporation10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)03100.U 'Class 2 OnSite Individual Subscriber CA1$0"UIBM Certification Authority0?0
 *?H?÷
0?Õg­5Ý ~ýWa֝§˹£#\?è·gçH}¹ á°Q믠{?¸H?²HæOÝä4/åÍÎf¾F?7 é,a/ô£äYçén'¹m]ÇU?ÁÔêª??ÅÖ?ªMÏ®ô%U_RÎ?-@ió|&%º??2ßÓ?ߺ£?é0?
å0Uÿ0ÿ0DU =0;09 `?H?øE0*0(+https://www.verisign.com/rpa04U-
0+0) ' %?#http://crl.verisign.com/pca2-g2.crl0 U0 `?H?øB0)U"0 ¤010UPrivateLabel2-1270U?Ás°sÕÙ?tgÍñQ41¶,Z0èU#
à0Ý¡Ç¤Ä0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network?¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷
? POÆ3°Òd?¥-uNT???|?KMÎ,çãùßOþÌhßÚ ?2µE¥ë,jÊ ??
î³m#p)+L7»&S¤Ø?$öýµè[ç .÷?1nS??¬Ú¡¿á?l\ml?@?#eÄdëÚÏPk¿ëÐy@ùFõ6HÏ0
?,0?? :?7­ÈSEÈUK5?0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
030506000000Z
130505235959Z0ù1 0 UUS1402U
+International Business Machines Corporation10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)03100.U 'Class 2 OnSite Individual Subscriber CA1$0"UIBM Certification Authority0?0
 *?H?÷
0?Õg­5Ý ~ýWa֝§˹£#\?è·gçH}¹ á°Q믠{?¸H?²HæOÝä4/åÍÎf¾F?7 é,a/ô£äYçén'¹m]ÇU?ÁÔêª??ÅÖ?ªMÏ®ô%U_RÎ?-@ió|&%º??2ßÓ?ߺ£?é0?
å0Uÿ0ÿ0DU =0;09 `?H?øE0*0(+https://www.verisign.com/rpa04U-
0+0) ' %?#http://crl.verisign.com/pca2-g2.crl0 U0 `?H?øB0)U"0 ¤010UPrivateLabel2-1270U?Ás°sÕÙ?tgÍñQ41¶,Z0èU#
à0Ý¡Ç¤Ä0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network?¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷
? POÆ3°Òd?¥-uNT???|?KMÎ,çãùßOþÌhßÚ ?2µE¥ë,jÊ ??
î³m#p)+L7»&S¤Ø?$öýµè[ç .÷?1nS??¬Ú¡¿á?l\ml?@?#eÄdëÚÏPk¿ëÐy@ùFõ6HÏ0
?_0?È aô
}·?%Ó?êw?Ñ0
 *?H?÷
0ù1 0 UUS1402U
+International Business Machines Corporation10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)03100.U 'Class 2 OnSite Individual Subscriber CA1$0"UIBM Certification Authority0
070530000000Z
080529235959Z0?1.0,U
%International Business Machines Corp.10U Jonathan Leffler10
?&??ò,d 5A82528971"0  *?H?÷
 jleffler (at) us.ibm (dot) com0 [email concealed]?0
 *?H?÷
0?Âå8²\îKðfã?­GªJ§s ??:7â?E 6ÉønãµÂÍл?vm/%F]Îõ?? ¨yôCà®5?T7Õu®üÊ?ÄwEK?{~?Â6¹ÜÃõPó|֍½¦h¯¶áÁþ>®? ö¹!'i?};»?äàOJå0
Üm£?S0?O0 U00 U 0fU_0]0[ Y W?Uhttp://onsitecrl.verisign.com/In
ternationalBusinessMachinesCorpCorporateCIO/LatestCRL0?)U ? 0?0? `?H?øE0?0++https://www.verisign.com/rpa-kr0
×+0ÊÇNotice Text=NOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr0U#0??Ás°sÕÙ?tgÍñQ41¶,Z0U
ÖM?ÐoD?öþ7Q3Óçpå _0.U'0% #
+?7  jleffler (at) us.ibm (dot) com0 [email concealed]U%0++0 `?H?øB 0
 *?H?÷
!ª£²?u?¶Sn´hj ??áfÕ}¹ÁÍJþ?íë
ʝ㡳uÊ´????,w¶ QòúØnÅ«.7 Â1?¤ÛòûÖéLQ¼?D-`(C1(?Ó°«j¼_À­Iü@Ât?¥?}îgg^º?ûÆônA0
?_0?È aô
}·?%Ó?êw?Ñ0
 *?H?÷
0ù1 0 UUS1402U
+International Business Machines Corporation10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)03100.U 'Class 2 OnSite Individual Subscriber CA1$0"UIBM Certification Authority0
070530000000Z
080529235959Z0?1.0,U
%International Business Machines Corp.10U Jonathan Leffler10
?&??ò,d 5A82528971"0  *?H?÷
 jleffler (at) us.ibm (dot) com0 [email concealed]?0
 *?H?÷
0?Âå8²\îKðfã?­GªJ§s ??:7â?E 6ÉønãµÂÍл?vm/%F]Îõ?? ¨yôCà®5?T7Õu®üÊ?ÄwEK?{~?Â6¹ÜÃõPó|֍½¦h¯¶áÁþ>®? ö¹!'i?};»?äàOJå0
Üm£?S0?O0 U00 U 0fU_0]0[ Y W?Uhttp://onsitecrl.verisign.com/In
ternationalBusinessMachinesCorpCorporateCIO/LatestCRL0?)U ? 0?0? `?H?øE0?0++https://www.verisign.com/rpa-kr0
×+0ÊÇNotice Text=NOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr0U#0??Ás°sÕÙ?tgÍñQ41¶,Z0U
ÖM?ÐoD?öþ7Q3Óçpå _0.U'0% #
+?7  jleffler (at) us.ibm (dot) com0 [email concealed]U%0++0 `?H?øB 0
 *?H?÷
!ª£²?u?¶Sn´hj ??áfÕ}¹ÁÍJþ?íë
ʝ㡳uÊ´????,w¶ QòúØnÅ«.7 Â1?¤ÛòûÖéLQ¼?D-`(C1(?Ó°«j¼_À­Iü@Ât?¥?}îgg^º?ûÆônA1
?[0?W0?0ù1 0 UUS1402U
+International Business Machines Corporation10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)03100.U 'Class 2 OnSite Individual Subscriber CA1$0"UIBM Certification Authorityaô
}·?%Ó?êw?Ñ0 + ¢0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
070608173322Z0# *?H?÷
 1»ãM"zïÕ/L3ÁM?iÕýBZ[0C *?H?÷
 16040+0*?H?÷
?0
*?H?÷
0
*?H?÷
(0
 *?H?÷
?}I®ÒMV¢?Âq¼·AUªq0 ÿ¢o|{£?x ö ½_0ªÏü §å+$
<ÎöDî{ä»ve?çCõÙ@Ìý?âv¤3¨ëðzp?6<?6?Á ?%??
?Õw»Ú
³J£H?ÄØ­Aç«ð?>4ÿÅìvþZ\L»ã¿¢Â?

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus