ok On Tue, May 26, 2009 at 4:08 PM, Shell Code <[email protected]> wrote: > I would appreciate if you post replies to the list instead of sending > it only to me. My comments inline. > > On Tue, May 26, 2009 at 5:10 PM, saphex <[email protected]> wrote: >>> I fail to understand what is new or interesting in this POC. If a >>> person with malicious intent gains so much access to a system that he >>> can put his files or firefox plugins, modify existing files, etc >> >> If you gain access to a system with the user that isn't administrator >> (at least under systems that enforce user *differentiation*, read any >> Linux flavour and Vista), you only have access to the users folder, >> you can't install anything (especially under Linux). I guess this is >> meant to be an alternative way of getting the job done. > > This is not true. You can carry out attacks of the same severity by > gaining access to a Linux or Windows system as a user that isn't the > administrator. Here are a few examples: > > 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so > that it sends user's personal content (data, files, commands executed, > etc.) from the system to a remote server. > > 2. Put a malicious executable file or script in the user's home > directory and execute it from start up scripts (.bashrc, > .bash_profile, etc.) so that the malicious executable file executes > whenever the user logs in. Now this malicious file can send user's > personal content to a remote server. > > 3. Modify or put plugins for other software to malicous stuff. Similar > to point 1. > > 4. Override PATH settings, aliases, put scripts, etc. so that when the > 'ls' now executes 'rm' or some other malicious command so that user > ends up executing commands he did not intend to. > > 5. ... and much more ... > >> >>> From the POC it seems that somehow the attacker has to gain physical >>> access to the system or do some social engineering attack to fool the >>> user in installing or modifying his existing plugins. The PoC does not >>> explain how this is done. >> >> To you know the download and execute payload for exploits? Make an >> application that changes the files, then use that payload in some >> exploit. People just want everything done. Just click, download, use, >> and call them self l33ts . >> > > How is it any different from the attack scenarios I have explained in > case of vim, emacs, KDE, GNome, Linux shell, etc.? > >> Maybe this is nothing new, but I think that the way to do it is new. >> Because you don't install anything, and the point to be proven here is >> that Firefox add-on system is security flawed from the very beginning. > > So, are you saying vim, emacs and the plugin system of every other > software on the earth is security flawed from the very beginning? >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
