Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)

2005-01-20 Thread David Schmitt
On Wednesday 19 January 2005 04:45, David Mandelberg wrote:
 Attached.

 Save to your GNOME/KDE desktop (like many newbies do) and double click  the
 new icon. .desktop files (currently) don't need the x bit set to work, so
 no chmod'ing is necessary.

Hmm, attached a screenshot how every MUA should handle this.

With this display, no attachment ever could fake its way into naive[1] users 
brains.



Regards, David


[1] naive != stupid
attachment: kmail.png

Re: .desktop arbitrary program execution

2005-01-19 Thread David Mandelberg
Rick Moen wrote:
 Quoting David Mandelberg ([EMAIL PROTECTED]):
 
 
Attached.

Save to your GNOME/KDE desktop (like many newbies do) and double click
the new icon. .desktop files (currently) don't need the x bit set to
work, so no chmod'ing is necessary.
 
 
 I'm sorry, but the question was: 
 
 Please advise this mailing list of which specific Linux or BSD MUA (or
 specific configuration thereof) is willing to execute a received
 binary or script attachment.  I'll very interested to read your specific
 report that details an actual, reproducible test.
 
 You appear to have answered some question I didn't ask.
You also asked a question about something I didn't say (I said that the person
had to open it).

-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$
UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e- h* r? z*
--END GEEK CODE BLOCK--

David Mandelberg
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution

2005-01-19 Thread Florian Weimer
* Rick Moen:

 Please advise this mailing list of which specific Linux or BSD MUA (or
 specific configuration thereof) is willing to execute a received
 binary or script attachment.

mutt and Gnus are, in typical configurations.  Most distributions
kindly add all these helpful mailcap entries.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution

2005-01-19 Thread Vincent Hanquez
On Wed, Jan 19, 2005 at 12:49:57PM +0100, Florian Weimer wrote:
 * Rick Moen:
 
  Please advise this mailing list of which specific Linux or BSD MUA (or
  specific configuration thereof) is willing to execute a received
  binary or script attachment.
 
 mutt and Gnus are, in typical configurations.  Most distributions
 kindly add all these helpful mailcap entries.

my mailcap file (made by Debian installation) doesn't have any of this
capabilities. Cannot verify for others distributions but that's a Debian 
list here anyway ...

-- 
Vincent Hanquez


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution

2005-01-19 Thread Florent Rougon
Florian Weimer [EMAIL PROTECTED] wrote:

 mutt and Gnus are, in typical configurations.  Most distributions
 kindly add all these helpful mailcap entries.

Could you point out a mailcap entry that causes the file to be
*executed*?

Because running gqview $file.jpg is very different from running
$file.jpg and you would do it (with the viewer of your choice) just
the same but by hand, with less helpful MUAs.

Just curious.

-- 
Florent


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution

2005-01-19 Thread Florian Weimer
* Florent Rougon:

 Florian Weimer [EMAIL PROTECTED] wrote:

 mutt and Gnus are, in typical configurations.  Most distributions
 kindly add all these helpful mailcap entries.

 Could you point out a mailcap entry that causes the file to be
 *executed*?

For complex file formats, there is no clear distinction between
opening a file and executing it.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution

2005-01-19 Thread Michael Stone
On Wed, Jan 19, 2005 at 04:29:46PM +0100, Florian Weimer wrote:
For complex file formats, there is no clear distinction between
opening a file and executing it.
Sure there is. For some filetypes execution is an intended effect; that
is, you expect arbitrary code to run. For other filetypes there's an
unexpected side effect that allows arbitrary code to run. In the second
case there's a bug that can be fixed. In the first case you just don't
execute the file if it's from an untrusted source.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


Re: .desktop arbitrary program execution

2005-01-19 Thread Rick Moen
Quoting Florian Weimer ([EMAIL PROTECTED]):

 mutt and Gnus are, in typical configurations.  Most distributions
 kindly add all these helpful mailcap entries.

Perhaps you need assistance comprehending the word specific (used
twice in my question)?  I await with interest your achieving that
rarefied state.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution

2005-01-19 Thread David Mandelberg
Rick Moen wrote:
 Quoting David Mandelberg ([EMAIL PROTECTED]):
 
 
You also asked a question about something I didn't say (I said that
the person had to open it).
 
 
 Actually, no, you didn't.  (Presumably you intended to, though.)
 
 Your question spoke of opening a particularly-named attachment:  You
 left unstated who or what was supposed to be doing the opening.  Since
 this was in the context of MUAs, I inferred that you meant the MUA doing
 it -- that being a standard application-security problem.
 
 Specifically, you said:
 
 
Do you mean to say that opening message.txt\t\t\t.desktop which
happens to be a freedesktop.org compliant launcher for the program rm
-rf $HOME is safe because it's designed for people running one of the
F/OSS products GNOME or KDE on a F/OSS OS?
 
 
 Since (it turns out) you meant people _manually_ shooting themselves in
 the foot, that is indeed a different scenario from what I thought you
 meant.
 
 So, I'm sorry for inadvertantly stepping on your scenario, but it was an
 honest and straightforward interpretation of what you said.  
 
 
Ok, I guess I should be more clear with my use of language next time, sorry.

-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$
UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e- h* r? z*
--END GEEK CODE BLOCK--

David Mandelberg
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)

2005-01-18 Thread David Mandelberg
Rick Moen wrote:
 Quoting David Mandelberg ([EMAIL PROTECTED]): 
Do you mean to say that opening message.txt\t\t\t.desktop which
happens to be a freedesktop.org compliant launcher for the program rm
-rf $HOME is safe because it's designed for people running one of the
F/OSS products GNOME or KDE on a F/OSS OS?
 
 
 Please advise this mailing list of which specific Linux or BSD MUA (or
 specific configuration thereof) is willing to execute a received binary
 or script attachment.  I'll very interested to read your specific report
 that details an actual, reproducible test.
Attached.

Save to your GNOME/KDE desktop (like many newbies do) and double click  the new
icon. .desktop files (currently) don't need the x bit set to work, so no
chmod'ing is necessary.

This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it
had Terminal=false, had the OOo writer icon, a title of something.sxw and
actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning
some poor newbie's $HOME.

-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$
UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e- h* r? z*
--END GEEK CODE BLOCK--

David Mandelberg
[EMAIL PROTECTED]


message.txt .desktop
Description: application/desktop


Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)

2005-01-18 Thread Rick Moen
Quoting David Mandelberg ([EMAIL PROTECTED]):

 Attached.
 
 Save to your GNOME/KDE desktop (like many newbies do) and double click
 the new icon. .desktop files (currently) don't need the x bit set to
 work, so no chmod'ing is necessary.

I'm sorry, but the question was: 

Please advise this mailing list of which specific Linux or BSD MUA (or
specific configuration thereof) is willing to execute a received
binary or script attachment.  I'll very interested to read your specific
report that details an actual, reproducible test.

You appear to have answered some question I didn't ask.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)

2005-01-18 Thread Alvin Oga

On Tue, 18 Jan 2005, David Mandelberg wrote:

 Save to your GNOME/KDE desktop (like many newbies do) and double click  the 
 new
 icon. .desktop files (currently) don't need the x bit set to work, so no
 chmod'ing is necessary.

that'd be dumb of the user
 
 This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if 
 it
 had Terminal=false, had the OOo writer icon, a title of something.sxw and
 actually rm -rf'd $HOME, it would look like a broken OOo document while 
 cleaning
 some poor newbie's $HOME.

that be even dumber of the user ..

and it is a known problem from 15-20 years ago ..

- don't click or execute commands you do nto know 
what it will be doing

- even simple things like ls, tar, cat can be renamed ( cracked )
to something more painful

- it not a security issue ... and is unsolvable, not preventable
  if you click on things or execute commands manully

- the super paranoid might be using encrypted fs with 
md5 of their commands before executing cat foo

c ya
alvin



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]