Date: Thu, 31 May 2018 17:42:42 +0100 From: Pete Batard <pete@...o.ie> To: Stefan Kanthak <stefan.kanthak@...go.de>, oss-security@...ts.openwall.com Subject: Re: CVE request: rufus Hi Stefan, Thank you very much for your very depreciative and less than informative report. Since a vulnerability report works a lot better with an actual exploitation scenario conducted with the actual application, that we can look into, we will be waiting on that from you. Also, FYI, we did apply mitigation for #1 (DLL sideloading attacks) very shortly after the time it became publicized: https://github.com/pbatard/rufus/commit/8473e9ef561295fd10dd9526010c1fd1cb1e6701 And of course, with proper non disparaging involvement of security researchers, who subscribe to the established responsible disclosure policy of their profession, we are always eager to improve on our mitigation fixes, if it turns out they aren't adequate. However, we would appreciate if you refrained from jumping to erroneous conclusion about Rufus development being conducted by "bloody beginners", when it is clear that some of the "beginner's" vulnerabilities you list have long had some mitigation factors applied. All the best, /Pete On 2018.05.31 17:05, Stefan Kanthak wrote: > Hi @ll, > > like its predecessors, the recently (2018-05-29) published version > 3.0 of "Rufus" (<https://rufus.akeo.ie/downloads/rufus-3.0.exe> and > <https://rufus.akeo.ie/downloads/rufus-3.0p.exe>) is riddled with > bloody beginners errors, which allow arbitrary code execution WITH > escalation of privilege. > > Vulnerability #1 > ~~~~~~~~~~~~~~~~ > > See <https://cwe.mitre.org/data/definitions/426.html> > and <https://cwe.mitre.org/data/definitions/427.html> > plus <https://capec.mitre.org/data/definitions/471.html>. > > Additionally see Microsoft's developer guidance > <https://technet.microsoft.com/en-us/library/2269637.aspx>, > <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, > <https://msdn.microsoft.com/en-us/library/ms682586.aspx> und > <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> > for avoiding this bloody beginner's error. > > Also see > <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html> > and > <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> > plus > <https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html> > for "prior art". > > > Vulnerability #2 > ~~~~~~~~~~~~~~~~ > > See <https://cwe.mitre.org/data/definitions/377.html> > and <https://cwe.mitre.org/data/definitions/379.html> > plus <https://capec.mitre.org/data/definitions/29.html> > > stay tuned > Stefan Kanthak >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.