<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Remove absolute paths from gpg.rc



Derek Martin wrote:
> On Fri, Mar 16, 2007 at 12:40:27AM +0000, Paul Walker wrote:
>>> setting, and I also don't think that any person interested in security
>>> should run with garbage in $PATH. I would also guess that it's just as
>> That's fine, and I would agree, but the person you're dealing with should be
>> assumed to be a normal user, not "any person interested in security".
> 
> I agree.
> 
>>> easy to modify a person's .muttrc as to put a trojan gpg somewhere in
>>> their PATH.
>> If you can modify someones personal files, the game's already over.
> 
[--snip--]
> 
> If the attacker is merely able to upload an arbitrary file, this is by
> far the best route to go.  He'll have to make guesses about the best
> place to put his trojans, but as I just pointed out, that isn't
> necessarily hard.  By contrast, if he's only able to upload files, but
> not able to examine the existing contents of files, then replacing
> someone's muttrc will almost certainly be noticed, by virtue of Mutt's
> almost mandatory customization.  It's nearly certain that something
> about the config will be changed, and very likely something the user
> will notice with very little effort.

Uhm, am I missing something, or does "uploading", say, ~/.muttrc with
contents

    mailboxes `rm -rf /ha/ha/you/die`

not game over?

Point being: If your configuration file format allows execution of
arbitrary commands you are exactly as screwed by "can create/overwrite
arbitrary files" exploits as "can execute arbitrary content" explots.

Cheers,

-- 
Bardur Arantsson
<bardurREMOVE@xxxxxxxxxxxxxxxxxxx>

I haven't slept for ten days... because that would be too long.
                                                    Mitch Hedberg