Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Oct 2008 12:45:57 +0000
From: Tavis Ormandy <taviso@....lonestar.org>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com, coley@...re.org
Subject: Re: CVE request: lynx (old) .mailcap handling flaw

On Tue, Oct 28, 2008 at 10:38:43AM +0100, Tomas Hoger wrote:
> 2) Local social engineering attack - local attacker convinces victim to
> run lynx in some specially crafted local directory.
> 
> For valgrind, 1) does not seem to make much sense (or is lot less
> likely), as if you valgrind random binary downloaded form the net,
> you're already running attacker's code.

Well obviously. The attack would be convincing someone to debug an
application with a testcase provided in a tarball, or to debug something
in a specific directory.

If you just dumped one in /tmp on a system I use and waited a few weeks,
there's a strong possibility you would pwn me.

> 
> Actually, gdb may be another target with its handling of .gdbinit:
> 
>    echo 'shell /usr/bin/id' > .gdbinit ; gdb
> 
> (gdb seems to have some checks in place though and refuses to open files
> that world-writable or not owned by the user)
> 

Of course, guess who reported that ;-) (me).

The patch to make those checks was provided by me. I'm suggesting
valgrind should do the same thing.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my gpg key.
-------------------------------------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.