[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache security issue (with upstream new release)

On Sat, Nov 01, 2003 at 11:03:16AM +0100, roman@rs-labs.com wrote:
> > For example, people sometimes file bugs about buffer overflows in
> > "simple" programs (which run with no privileges and do not act on any
> > untrusted input) just because they are buffer overflows, a type of bug
> > which is associated with many security exposures.  While these are
> > bugs, no privileges can be gained from them, so they do not represent a
> > security exposure.
> I also agree with that. But this is not clearly the case. Some typical
> scenario are buffer overflows in games (clients, not servers) and other
> client apps (although depending of the particular cases could also be
> abused/exploited).

I tend to disagree, I'm afraid.  The presence of remotely
exploitable bugs in user applications (be it a client of some
networked game, or a PDF viewer) impose a great risk on the user,
i.e. not on the system (which protects its integrity), but the
user who is actually running the program.  For the sake of
assurance, just imagine how an accidentally executed `rm -rf /'
on behalf of your desktop uid would affect the rest of the day for you..

> I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet.
> - It is a server so it could be remotely attacked and it's the perfect
> door for any hacker.- The bug discovered could be used to obtain root remotely (well, the
Perhaps, in the co-existance of a bug in a suid root binary
(let's say traceroute.  Anyone?)


1024D/37B8D989 954B 998A E5F5 BA2A 3622  82DD 54C2 843D 37B8 D989      
finger://borso@vekoll.vein.hu | Some days, my soul's confined
http://www.keyserver.net | And out of mind
Sleep forever

Reply to: