"pelzflorian (Florian Pelz)" <pelzflor...@pelzflorian.de> skribis:
> On 02/12/2017 06:01 PM, Hartmut Goebel wrote: >> Am 12.02.2017 um 15:37 schrieb David Craven: >>> I think that it is a minor >>> issue at best, since anything that isn't accessible over the network or >>> running >>> with any sort of privileges is not very useful. >> >> I strongly disagree! >> >> Every piece of software available on the system may the intruder. The >> server may not be running so it can not be attacked in the first place. >> But if an intruder gains (unprivileged) access to the system, he might >> be able to start that server software. Then he might use it for >> privilege escalation (if the server software is vulnerable), as a >> back-channel or for attacking further systems. >> > > An attacker with enough privileges to run Murmur has enough privileges > to install Murmur anyway (perhaps but not necessarily by using Guix). Definitely. And they might just as well run software that’s more useful for their purposes, like a botnet server. :-) Ludo’.