Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20081029124557.GA13910@sdf.lonestar.org>
Date: Wed, 29 Oct 2008 12:45:57 +0000
From: Tavis Ormandy <taviso@....lonestar.org>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com, coley@...re.org
Subject: Re: CVE request: lynx (old) .mailcap handling flaw

On Tue, Oct 28, 2008 at 10:38:43AM +0100, Tomas Hoger wrote:
> 2) Local social engineering attack - local attacker convinces victim to
> run lynx in some specially crafted local directory.
> 
> For valgrind, 1) does not seem to make much sense (or is lot less
> likely), as if you valgrind random binary downloaded form the net,
> you're already running attacker's code.

Well obviously. The attack would be convincing someone to debug an
application with a testcase provided in a tarball, or to debug something
in a specific directory.

If you just dumped one in /tmp on a system I use and waited a few weeks,
there's a strong possibility you would pwn me.

> 
> Actually, gdb may be another target with its handling of .gdbinit:
> 
>    echo 'shell /usr/bin/id' > .gdbinit ; gdb
> 
> (gdb seems to have some checks in place though and refuses to open files
> that world-writable or not owned by the user)
> 

Of course, guess who reported that ;-) (me).

The patch to make those checks was provided by me. I'm suggesting
valgrind should do the same thing.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my gpg key.
-------------------------------------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.