Re: unix and email viruses

To: debian-user@lists.debian.org
Subject: Re: unix and email viruses
From: "Dotan Cohen" <dotancohen@gmail.com>
Date: Mon, 3 Mar 2008 09:06:43 +0200
Message-id: <[🔎] 880dece00803022306p57e9dcbbp5a17d8d4d067387b@mail.gmail.com>
In-reply-to: <[🔎] 20080303010106.GX15495@localhost.localdomain>
References: <[🔎] 20080302205916.GB7254@titan.hooton> <[🔎] 20080302220833.GS8028@pear.tzafrir.org.il> <[🔎] 20080303001143.GU15495@localhost.localdomain> <[🔎] 359a3c580803021632n442f0d67n83c6e0b173db0f60@mail.gmail.com> <[🔎] 20080303010106.GX15495@localhost.localdomain>

On 03/03/2008, Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
> On Sun, Mar 02, 2008 at 04:32:26PM -0800, David Fox wrote:
>  > On 3/2/08, Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
>  >
>  > > The potential hole I see in mutt is not actually a hole in mutt but in
>  > > various helpers used by mutt users. For example, many of us use w3m or
>  > > links or some other text browser to dump html messages to plain text
>  >
>  > For that to work, various helper apps would have to be run as root or
>  > with root privileges. Normally i would not suspect a pic or other
>  > 'data' to try and be executable anyway.
>
>
> The exploit would have to be one that gets root privileges through
>  escalation... I seem to recall that there had been some compromises in
>  some image formats that may have escalated privileges, but I don't
>  really know.

There was a very popular, long-unpatched image exploit for Windows:
http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

>  sql injections are 'data' trying to be executable, aren't they? I know
>  that generally folks aren't trying to "open" sql "attachements"
>  (whatever the hell that might mean) from mutt...

No, SQL injection is 'data' trying to run unauthorized queries on the database:
http://what-is-what.com/what_is/sql_injection.html

>  Anyway, that's the whole point of an exploit -- providing some
>  _thing_, data or code, that causes a privilege escalation. It doesn't
>  have to be a helper running as root, just a helper that can be
>  exploited in some manner to get a root escalation. At least that's
>  what I understand.

There are some javascript exploits (XSS attacks) that could
potentially run in a javascript-enabled text browser or screen reader.
Just because one uses Linux, or console tools, does not mean that one
in not vulnerable. But reading email in Mutt, without calling external
apps, I cannot think of an exploit vector. Famous last words.

Note that mutt is uncommon enough that it may not be feasable for an
attacker to even target it today. Security through obscurity, if you
will.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Reply to:

Follow-Ups:
- Re: unix and email viruses
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

References:
- unix and email viruses
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: unix and email viruses
  - From: Tzafrir Cohen <tzafrir@cohens.org.il>
- Re: unix and email viruses
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: unix and email viruses
  - From: "David Fox" <dfox94085@gmail.com>
- Re: unix and email viruses
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

Prev by Date: Re: unix and email viruses
Next by Date: Re: [OT] Zip file browsing tool
Previous by thread: Re: unix and email viruses
Next by thread: Re: unix and email viruses
Index(es):
- Date
- Thread