On 12/20/04 1:03 PM, "Crispin Cowan" <[EMAIL PROTECTED]> wrote: >> If they exploited notepad.exe when they activated would we announce a "remote >> exploit" on notepad.exe? They exploit a buffer overflow in local software, >> but they require action by the user before they can activate. >> > The difference between a local and a remote exploit, in this context, is that > a local exploit requires overt action on the part of the user, e.g. take these > 7 steps to perform the local exploit. A remote exploit can include malicious > content that you can e-mail to a naive user and reasonably expect them to do > what is required to perform the exploit, such as "click on the attachment".
Then reconsider whether rtf2latex or abc2midi are really "remote exploits." I think it is safe to say that no one will have their email program or web browser set up to run 'abc2midi' as the default option when they click an ABC file (even though they could). Is this really remotely exploitable? It requires the user to save the file to a disk and run a special command on it. I feel like your explanation backs out to a debate about what lengths we can "reasonably expect" someone to go to infect themselves. If clicking on an attachment and typing a password qualifies (which I think most of us will accept as reasonable), does "save this file to disk and run this command on it" also qualify? Maybe it's just me, but I don't think filter programs like these x2y programs (he cited "abc2midi" and "rtf2latex2e" among others) qualify. There's no way someone will have their web or mail software set up to run these converters as the default action. Most systems won't even have the vulnerable programs installed by default. The user has to save the hostile payload to a file and has to type the command. They also have to type the command with a modicum of correct syntax (perhaps not 100% correct, but at least enough to get past the basic usage() check). Thus, they have to follow some instructions from their attacker on how to get the software to run. Even if we're debating reasonableness, I still disagree that these are so easy you can just take it for granted that someone will have the software, will save the file, and will execute the command with the vulnerable syntax. If the user receives a file from an untrusted source, and follows a script of commands (even though it may only be 2 or 3), I call this a social engineering attack, not a remote exploit. The "ease" of exploit here doesn't come anywhere near the ease of exploiting, say, xmms or some other software that is highly likely to be the default application for a given content-type. Paco -- Paco Hope, CISSP Senior Software Security Consultant Cigital, Inc. http://www.cigital.com/ [EMAIL PROTECTED] -- +1.703.585.7868 ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
