On Tue, 21 Dec 2004 14:59:15 EST, "David F. Skoll" said: > Could you have? How, pray tell, would you compromise a machine with > the NASM exploit? Even if you have a local account, the NASM exploit > lets you run arbitrary code as... yourself. Big deal. Do you audit every line of code you receive from the network? Even for a package the size of Apache or the X11 distribution? And you miss the point - if *I* can hand you a trojaned program that will run arbitrary code as "yourself" *when I don't have a userid on your system*, I have a toehold on your system. Remember that "I get you to run arbitrary code as yourself" is the *primary* way that spyware and zombie software get onto people's systems. So it's not an academic moot point. Having said that, running 'more' on the foo.S file will almost certainly show up the exploit as a oddly formatted line. What is *much* more likely to actually work is.. Hmm.. thinking for a moment.. Yeah.. ship software with "optional MMX for speed" support, and have the package's Makefile invoke gcc. gcc will invoke the C preprocessor on the assembler source, allowing for all sorts of #ifdef and #define magic to make the code look like one thing but do another. Probably take a *lot* longer for people to twig onto what was going on than the Trojan that showed up in the Sendmail distrib and a number of other things a while back - the ./configure script would compile-and-run a backdoor-shell program. All the same, getting *any* program to execute arbitrary code other than what the programmer intended is a *vulnerability*. The fact that some social engineering is required to actually *exploit* the hole doesn't change the fact that there's still a hole. If I dig a deep hole, with lots of pointy poisoned sticks at the bottom, and cleverly concealed with netting, there's *still* a hole there even if I fail to convince you to take a stroll with me down this trail, and oh would you mind going first, there's a narrow spot here.....
Attachment:
pgpbHDcfHtBAW.pgp
Description: PGP signature