Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 29 Oct 2008 12:45:57 +0000
From: Tavis Ormandy <taviso@....lonestar.org>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com, coley@...re.org
Subject: Re: CVE request: lynx (old) .mailcap handling flaw

On Tue, Oct 28, 2008 at 10:38:43AM +0100, Tomas Hoger wrote:
> 2) Local social engineering attack - local attacker convinces victim to
> run lynx in some specially crafted local directory.
> 
> For valgrind, 1) does not seem to make much sense (or is lot less
> likely), as if you valgrind random binary downloaded form the net,
> you're already running attacker's code.

Well obviously. The attack would be convincing someone to debug an
application with a testcase provided in a tarball, or to debug something
in a specific directory.

If you just dumped one in /tmp on a system I use and waited a few weeks,
there's a strong possibility you would pwn me.

> 
> Actually, gdb may be another target with its handling of .gdbinit:
> 
>    echo 'shell /usr/bin/id' > .gdbinit ; gdb
> 
> (gdb seems to have some checks in place though and refuses to open files
> that world-writable or not owned by the user)
> 

Of course, guess who reported that ;-) (me).

The patch to make those checks was provided by me. I'm suggesting
valgrind should do the same thing.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my gpg key.
-------------------------------------------------------

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux