Dear Fyodor,
NMAP is detected by Snort and othr IDS, is not possible to have fool proof ~j. On 9/11/10, Fyodor <fyo...@insecure.org> wrote: > > On Fri, Sep 10, 2010 at 02:08:14PM -0400, Dan Kaminsky wrote: > > > > Frankly, I think we can find better bugs. I think we'd better. Just > > like bad money drives out good money, bad bugs drive out good bugs. > > The credibility of advisories, and even the usefulness of FD, is > > somewhat at risk. > > Hi Dan. You make good points, like usual. I just want to comment on > one aspect: > > > So we're on the cusp of some huge portion of advisories coming from > > the security community being little more than "random Windows app > > runs DLLs from CWD". > > Another problem with this is that it is the way Windows was > intentionally designed and documented to operate :/. Apps like Nmap > don't know where (for example) Winpcap's DLLs are installed on a given > system, so we rely on the operating system to locate and load them > securely. Most operating systems do this properly, and it isn't very > hard. You just need a library search path which only contains system > directories that potential attackers can't write to. > > Microsoft, on the other hand, intentionally decided to include the > current working directory in that search path. Up until XP SP2, they > even gave DLLs in CWD priority over those in system directories! Then > MS introduced "SafeDllSearchMode", which is now enabled by default. > This SHOULD HAVE removed CWD from the library search path entirely, > but instead Microsoft just shifted the search order around so that CWD > is searched later :(. > > Now Microsoft has added a new hack, calling SetDllDirectory() with the > empty string, which actually DOES remove CWD from the search path if > you are running a recent enough version of Windows. But many/most > apps won't even know to call that. The search path should be secure > by default (especially when things like "SafeDllSearchMode" are set), > and apps or users should have to add CWD themselves if they really > want it included. > > So rather than have advisories for every application which honors the > default Windows DLL search path, I hope someone can convince MS to > make their search path secure by default (remove potentially untrusted > dirs like CWD). Linux/Unix users would have the same vulnerabilities > if they did something dumb like add CWD to their LD_LIBRARY_PATH, but > at least their vendors don't ship it that way! > > And while anyone is bugging MS about the DLL search path, please ask > MS to re-enable raw sockets too :). > > Cheers, > Fyodor > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/