[Full-disclosure] [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH

Tavis Ormandy taviso at gentoo.org
Fri Dec 15 01:21:55 GMT 2006 

On Thu, Dec 14, 2006 at 06:39:55PM -0600, David_Coffey at McAfee.com wrote:
> Gentoo Security Team,
> 
> This statement seems to contrast greatly your practice of not following
> a "professional" responsible disclosure process; particularly, posting a
> security issue only 8.5 hours after your initial report was confirmed by
> McAfee and a mere 9 hours after you sent in your initial report.  
> 

David, the issue had already been discussed in public as we informed
you. There is no point trying to bury an issue once it has already been
discussed in public, we issued an advisory to ensure that our users were
aware that the issue existed.

> This is not generally considered "responsible" practice.  If you are not
> already aware, there are many responsible disclosure guidelines and
> practices which have been published, like those outlined at
> http://www.oisafety.org/ (we are founding members and adhere to these
> guidelines). 

Not everyone believes these guidelines are in everyones best interests. 

>    In another matter, McAfee disagrees with your statement that this is
> a "high" severity issue, as the privilege of the executed code is not
> raised from the privileges of the executing user. In addition to this,
> an attacker would have had to compromise the machine through another
> mechanism in order to place the malicious library on the system.  

Well then you have a fundamental misunderstanding of the issue. Does an
attacker have to compromise your machine to get you to use your virus
scanner on an arbitrary file? No.

Your DT_RPATH tag instructs the dynamic loader to search the working
directory for shared libraries, if you scan an ELF DSO by invoking your
scanner on the file then executing arbitrary code is trivial. I sent you
a very clear example of this privately, including step-by-step
instructions on how to reproduce it. if you did not understand my
instructions, please contact me off-list and I will explain it in detail.

Thanks, Tavis.

-- 
-------------------------------------
taviso at sdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 238 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061215/c810bb4c/attachment.bin

Full-Disclosure is hosted and sponsored by Secunia.