Re: Feature Request: --update

[Felix Gröbert <felix () groebert org>]

Hari Sekhon (2007-01-19, 10:45):
> Really nmap --update could do a lot more than just sigs, but also 
> nmap-service-probes and other nmap-* files in /usr/share/nmap or 
> /usr/local/share/nmap, perhaps even upgrading the whole thing in place 
> including the nmap binary so the second run is using a fully updated 
> nmap! (but that really is up to you if you wanted to be that nice - 
> however that would be Awesome. )

I would vote against including a update functionality which updates
the binary executeable, the nse scripts or something else which could
be used for malicious code injection.
Remote code execution is crown of an network security attack and
man-in-the-middle'ing a `nmap --update` would enable an attacker to
exchange or infect a binary. This is bad. I do not trust Firefox
automatic updates for this very reason.

The only exception would be the usage of a PKI to sign updates. But
this yields a lot of overhead to the update implementation and a lot
of work to the developers who have to manage the PKI.
Firefox and a lot of other FOSS projects do not do this.


Fingerprint updates are a cool thing, thought.


Cheers,
-- 
 Felix Groebert  <>  groebert.org/felix  <>  GPG key: 6B44113F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org