Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: aliban <aliban@gmx.net>
Date: Wed, 22 Feb 2006 17:05:58 +0100
Message-id: <[🔎] 43FC8BE6.5040902@gmx.net>
In-reply-to: <[🔎] 20060222143022.GE17249@bee.dooz.org>
References: <[🔎] 43FC4A6C.9010801@gmx.net> <[🔎] 98a18b470602220411n4704cacg61cab8cae197e504@mail.gmail.com> <[🔎] 43FC60FC.7080001@gmx.net> <[🔎] 20060222143022.GE17249@bee.dooz.org>

Loïc Minier schrieb:


>>On Wed, Feb 22, 2006, aliban wrote:
>>  
>>
>  
>
>>>>In this case you are doing the same mistakes Microsoft did with Windows
>>>>all the time:
>>>>    
>>>>
>>>>default installation comes with a 'strange' service (that nobody needs,
>>>>therefore nobody knows) sitting somewhere around and listening on ALL
>>>>interfaces. This is the reason why all these worms, i.e. MS Myblast,
>>>>owned all the systems. And this is paranoid?
>>>>    
>>>>
>>    
>>
>> Most Windows virii propagate via email, and I'm not sure Evolution is
>> way safer than Outlook, still it is the recommended mail client under
>> GNOME, it doesn't listen on any interface, but is quite probably a
>> major security hole.  You're free not to use it, not shipping it would
>> leave us without a high-level calendar + tasks + mail + schedule +
>> meetings + groupware application.
>>  
>>
>  
>
That's true, most virii propagate via email. I was talking about a worm that
can spread without user-interaction in example the MS Blaster (sorry,
not MyBlast):

"W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability"

The difference between security holes in webbrowsers/email clients and
something like the DCOM RPC vulnerability is that webbrowsers and email
clients must be ACTIVLY used while a listening *something* needs no user
interaction and is PASSIVE.

The result is:
- With a vulnerable webbrowser you must surf the wrong webpage.
- With an vulnerable email client you must have a mainstream email
client to get infected with high probability, otherwise an email worm
wont spread  enough. (In example Outlook) In additional most email virii
need a user "that will click clickme.exe"
- With a passive vulnerable listening application (that is installed to
listen to the internet by default) you must just wait for the ... bad day.

While the email worm needs new email addresses to find new victims a
worm exploiting a vulnerable listening service just has to ping randomly
IPs... MS Blaster infected many million system within seconds...


>>  
>>
>  
>
>>>>I suggest the pkg promts with something like "xyz is a service that does blah blah,
>>>>... For most users this service should bind only to a local area network
>>>>and not to the internet. (If you need this service at all) Do you want
>>>>to bind to all interface?" - with no as default!
>>>>    
>>>>
>>    
>>
>>
>> In the case of a discovery daemon, this is useless.
>>
>>   Cheers,
>>
>>  
>>
>  
>
Not really; in example would you want to bind netbios/samba to internet?

If I would write worms my perfered exploits would be remote exploits
that does not depend on user interaction in any way.

regards.

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: Rick Moen <rick@linuxmafia.com>

References:
- avahi-daemon
  - From: aliban <aliban@gmx.net>
- Re: avahi-daemon
  - From: "Daniel Givens" <daniel@rugmonster.org>
- Re: avahi-daemon
  - From: aliban <aliban@gmx.net>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

Prev by Date: Re: avahi-daemon
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread