Vulnerability Development mailing list archives
Re: History Files
From: 11a () GMX NET (Bluefish)
Date: Thu, 20 Apr 2000 04:28:50 +0200
On Tue, 18 Apr 2000, iconoclast wrote:
heh, i've hacked systems where all you can do is read email supposedly. you can use pine to execute commands you know :)
This actually kind of get's you into some kind of Windows 9x kind'a security. The application isn't intended to provide security, you make some changes (policy or whatever) and hope it will provide security. I mean, even if a program like pine couldn't execute files, concider the following scenario: you find a bug, which by doing [ insert something weird ] gives you the ability to execute programs. You notify the developers. "Uh, so?" they think and don't fix it because the program was never designed to stop attackers anyway. Another revelant thingy was something I read (probably in this list or in bugtraq) where a CD-burner software which was designed to be executed by root only was called by suid front-end. Whoever is responsible for designing a applications which suids' a program not intended for it makes the same error; assuming something to be secure which isn't designed to be secure. Kind'a funny people do such things. I mean, it's reasonable that you once in a while do some misstake where you own code or setup can be exploited in some weird technical way. But is it really reasonable that people dodn't even think about the security models, the design ideals etc behind products? It seems people assumes that new functionallity (security in this case) exits in a product just because it at the moment is convinient for them! ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Controlling a program's resource usage on Unix, (continued)
- Controlling a program's resource usage on Unix Bernie Cosell (Apr 16)
- Re: Controlling a program's resource usage on Unix Seth R Arnold (Apr 16)
- Re: Controlling a program's resource usage on Unix Isaac (Apr 21)
- Re: Controlling a program's resource usage on Unix Crispin Cowan (Apr 16)
- Re: Controlling a program's resource usage on Unix Matej Kovac (Apr 17)
- Re: Controlling a program's resource usage on Unix Pavel Kankovsky (Apr 18)
- Re: History Files David Taylor (Apr 16)
- Re: History Files Boris Sagadin (Apr 17)
- Fwd: RAZOR Analysis of dvwssr.dll Blue Boar (Apr 17)
- Re: History Files iconoclast (Apr 18)
- Re: History Files Bluefish (Apr 19)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Gert-Jan Hagenaars (Apr 16)
- Re: History Files Bluefish (Apr 17)