<<< Date Index >>>     <<< Thread Index >>>

Re: How to report Mutt security issues?



On Thu, Jul 14, 2005 at 10:48:55AM -0600, Charles Cazabon wrote:
> Derek Martin <invalid@xxxxxxxxxxxxxx> wrote:
> > While I have doubts that "remotely exploitable" is being used fairly here,
> 
> I'm not sure what you meant by this.  It's entirely possible that a
> bug in mutt code (buffer overflow, etc) would allow an attacker to
> craft a message to exploit that bug and run a payload as you when
> you view that message.  If that payload is `sh -c 'rm -rf $HOME'` or
> equivalent, I think you'd call that a "remotely exploitable"
> security problem.

No, I wouldn't.  It's no more "remotely exploitable" than if I handed
you a disk, said, "run the program on this," and you did -- resulting
in the destruction of your hard drive.

The attack you describe is a passive attack, triggered by you viewing
the message (or its headers).  It is not a remote exploit; the attack
occurs once the data is already on the local system, and is triggered
by the user.  That's not a remote exploit, because nothing I can do
sitting at my computer will trigger the exploit on yours...  It is
only triggered once you do something, on the local machine.  It is a
local exploit, which just happens to have been delivered to you over a
network.  I could send you the same message from the console of the
same computer...  Is it a remote attack then?  The payload never
existed anywhere other than the local machine.

Your example was precisely what I was talking about.  If you want to
stick to your definition of remote exploit, then every compromise is a
remote exploit, because the data which results in the compromise
always originates somewhere other than on the system... even if it is
in the mind of an attacker who is typing it in at the system console.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpXwzWlczh2J.pgp
Description: PGP signature